samba - Jan 2017 - SSL Certificate

Hello!

Taking advantage of the email, I tried to make an ldap query with tls 
and I had an error ..

Version Samba 4.4.4

samba-tool testparm -v --suppress-prompt|grep tls
         ldap ssl = start tls
         tls cafile = tls/ca.pem
         tls certfile = tls/cert.pem
         tls crlfile          tls dh params file          tls enabled = Yes
         tls keyfile = tls/key.pem
         tls priority = NORMAL:-VERS-SSL3.0
         tls verify peer = as_strict_as_possible


ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)' givenName 
-LLL -n -N -Z
ldap_start_tls: Connect error (-11)
         additional info: (unknown error code)
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
         additional info: (unknown error code)


What would be wrong?



Em 11-01-2017 14:39, Rowland Penny via samba escreveu:
> On Wed, 11 Jan 2017 11:09:15 -0500
> Matthew Daubenspeck via samba <samba at lists.samba.org> wrote:
>
>> I'm using a Samba4 ADDC and just noticed that the SSL that was
created
>> at install time is about to expire. Is there something Samba specific
>> to create a new certificate, or should I manually create a new one
>> using openssl?
>>
>> Thanks!
>>
> Have a look here:
>
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC
>
> Rowland
>

probably ldapsearch is refusing to connect to the server because the certificate
does not
match the name localhost.

Run ldapsearch again with -d2 to see the reason of the failure.



Em 11/01/2017 15:14, Carlos A. P. Cunha via samba
escreveu:
> Hello!
>
> Taking advantage of the email, I tried to make an ldap query with tls and I
had an error ..
>
> Version Samba 4.4.4
>
> samba-tool testparm -v --suppress-prompt|grep tls
>         ldap ssl = start tls
>         tls cafile = tls/ca.pem
>         tls certfile = tls/cert.pem
>         tls crlfile >         tls dh params file >         tls
enabled = Yes
>         tls keyfile = tls/key.pem
>         tls priority = NORMAL:-VERS-SSL3.0
>         tls verify peer = as_strict_as_possible
>
>
> ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
> dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)'
givenName -LLL -n -N -Z
> ldap_start_tls: Connect error (-11)
>         additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: (unknown error code)
>
>
> What would be wrong?
>
>
>
> Em 11-01-2017 14:39, Rowland Penny via samba escreveu:
>> On Wed, 11 Jan 2017 11:09:15 -0500
>> Matthew Daubenspeck via samba <samba at lists.samba.org> wrote:
>>
>>> I'm using a Samba4 ADDC and just noticed that the SSL that was
created
>>> at install time is about to expire. Is there something Samba
specific
>>> to create a new certificate, or should I manually create a new one
>>> using openssl?
>>>
>>> Thanks!
>>>
>> Have a look here:
>>
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC
>>
>> Rowland
>>
>
-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.

you also forgot to use -x for a simple bind

Em 11/01/2017 15:14, Carlos A. P. Cunha via samba
escreveu:
> Hello!
>
> Taking advantage of the email, I tried to make an ldap query with tls and I
had an error ..
>
> Version Samba 4.4.4
>
> samba-tool testparm -v --suppress-prompt|grep tls
>         ldap ssl = start tls
>         tls cafile = tls/ca.pem
>         tls certfile = tls/cert.pem
>         tls crlfile >         tls dh params file >         tls
enabled = Yes
>         tls keyfile = tls/key.pem
>         tls priority = NORMAL:-VERS-SSL3.0
>         tls verify peer = as_strict_as_possible
>
>
> ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
> dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)'
givenName -LLL -n -N -Z
> ldap_start_tls: Connect error (-11)
>         additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: (unknown error code)
>
>
> What would be wrong?
>
>
>
> Em 11-01-2017 14:39, Rowland Penny via samba escreveu:
>> On Wed, 11 Jan 2017 11:09:15 -0500
>> Matthew Daubenspeck via samba <samba at lists.samba.org> wrote:
>>
>>> I'm using a Samba4 ADDC and just noticed that the SSL that was
created
>>> at install time is about to expire. Is there something Samba
specific
>>> to create a new certificate, or should I manually create a new one
>>> using openssl?
>>>
>>> Thanks!
>>>
>> Have a look here:
>>
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_%28LDAPS%29_on_a_Samba_AD_DC
>>
>> Rowland
>>
>
-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.

On 11/01/2017 17:14, Carlos A. P. Cunha wrote:
> ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
> dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)'
givenName
> -LLL -n -N -Z
> ldap_start_tls: Connect error (-11)
>         additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>         additional info: (unknown error code)
>
>
> What would be wrong? 
You are trying to do two mutually-exclusive things at the same time.

(1) An ldaps:// URL means that TLS is negotiated as soon as the TCP 
connection is established, before any LDAP operation takes place. This 
happens on port 636.

(2) The -Z flag means "use the STARTTLS extension to the LDAP protocol 
to request TLS".  You only ever use this on port 389. The normal LDAP 
connection is established, *then* the STARTTLS message is sent, *then* 
TLS is negotiated.


The difference between ldaps (636) and ldap (389) is the same as the 
different between https (443) and http (80).

To check if your Samba is listening on port 636, use:

netstat -natp | grep :636

and look for LISTEN

HTH,

Brian.

On Sun, 15 Jan 2017 12:04:07 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> On 11/01/2017 17:14, Carlos A. P. Cunha wrote:
> > ldapsearch -U USER -h ldaps://localhost -p636  -w PASS -b 
> > dc=internal,dc=test,dc=com,dc=br -s sub '(objectClass=user)'
> > givenName -LLL -n -N -Z
> > ldap_start_tls: Connect error (-11)
> >         additional info: (unknown error code)
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> >         additional info: (unknown error code)
> >
> >
> > What would be wrong? 
> 
> You are trying to do two mutually-exclusive things at the same time.
> 
> (1) An ldaps:// URL means that TLS is negotiated as soon as the TCP 
> connection is established, before any LDAP operation takes place.
> This happens on port 636.
> 
> (2) The -Z flag means "use the STARTTLS extension to the LDAP
> protocol to request TLS".  You only ever use this on port 389. The
> normal LDAP connection is established, *then* the STARTTLS message is
> sent, *then* TLS is negotiated.
> 
> 
> The difference between ldaps (636) and ldap (389) is the same as the 
> different between https (443) and http (80).
> 
> To check if your Samba is listening on port 636, use:
> 
> netstat -natp | grep :636
> 
> and look for LISTEN
> 
> HTH,
> 
> Brian.
> 
> 
OK, try this:

The DC is dc1.samdom.example.com
The AD domain DN is dc=samdom,dc=example,dc=com
There is this line in the DC smb.conf: tls certfile = tls/cert.pem
The reverse dns zone has been created and operational
The username is 'rowland'

This is all done on the DC.

Configure the /etc/openldap/ldap.conf file as follows:

HOST dc1.samdom.example.com
TLS_CACERT /usr/local/samba/private/tls/cert.pem
TLS_REQCERT demand

Add this line to smb.conf:

ldap server require strong auth = allow_sasl_over_tls

restart Samba

Now test with this command:

ldapsearch -D "rowland at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldaps://dc1.samdom.example.com -W sAMAccountName=rowland

and/or this command:

ldapsearch -D "rowland at samdom.example.com" -b
"cn=Users,dc=samdom,dc=example,dc=com" -H
ldap://dc1.samdom.example.com
-Z -W sAMAccountName=rowland

Rowland