Really Rowland? As quoted:>> I believe I need to examine TLS since when I set "ldap server require >> strong auth = allow_sasl_over_tls" or "ldap server require strong >> auth = yes" user and group queries fail.This is OBVIOUSLY using LDAP and TLS. If this was via NTLM/Kerberos, the above setting wouldn't make the slightest difference. But all that aside - the key question is: [Again, lets quit arguing if this is TLS/LDAP or Kerberos.] *** How do I get visability into the TLS negotiation so I can figure out what's wrong with my ca/certs/keys. -Greg
On Thu, 3 Jan 2019 08:10:30 -0800 Gregory Sloop via samba <samba at lists.samba.org> wrote:> Really Rowland?Yes, really!> > As quoted: > >> I believe I need to examine TLS since when I set "ldap server > >> require strong auth = allow_sasl_over_tls" or "ldap server require > >> strong auth = yes" user and group queries fail. > > This is OBVIOUSLY using LDAP and TLS.I am not arguing that.> If this was via NTLM/Kerberos, the above setting wouldn't make the > slightest difference.It doesn't> > But all that aside - the key question is: [Again, lets quit arguing > if this is TLS/LDAP or Kerberos.] > > *** How do I get visability into the TLS negotiation so I can figure > out what's wrong with my ca/certs/keys. > > -GregI will send you some notes I made when testing LDAP searches via SSL/TLS, perhaps these will help. Rowland
On Thu, 3 Jan 2019 08:10:30 -0800 Gregory Sloop via samba <samba at lists.samba.org> wrote:> Really Rowland? > > As quoted: > >> I believe I need to examine TLS since when I set "ldap server > >> require strong auth = allow_sasl_over_tls" or "ldap server require > >> strong auth = yes" user and group queries fail. > > This is OBVIOUSLY using LDAP and TLS. > If this was via NTLM/Kerberos, the above setting wouldn't make the > slightest difference. > > But all that aside - the key question is: [Again, lets quit arguing > if this is TLS/LDAP or Kerberos.] > > *** How do I get visability into the TLS negotiation so I can figure > out what's wrong with my ca/certs/keys. > > -GregSee attached file. Rowland
RPvs> See attached file. Thanks for that. Is there no way to get log/debug detail about TLS negotiation from Samba? i.e. Is TLS nego not logged at all in Samba? ...or it's in the "general" channel [and not in some sub-channel]? At what verbosity does it show up? And at high verbosity, the logging is massive, so is TLS nego prefixed with something so I can isolate it from the other logging lines? TIA -Greg