https://bugzilla.novell.com/show_bug.cgi?id=730046
https://bugzilla.novell.com/show_bug.cgi?id=730046#c8
--- Comment #8 from lynn wilson
(In reply to comment #0)
Created an attachment (id=461810) --> (http://bugzilla.novell.com/attachment.cgi?id=461810) [details] [details] The samba config file
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.102 Safari/535.2
When using TLS between Samba and LDAP, the folowing error occurs:
Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: When do you get this error message? Always when starting smbd or only when booting?
I get this message when booting into the system and that seems to be an issue with either samba's or slapd's init script or systemd. Samba seems to be started before OpenLDAP is accepting incoming requests. When using sysvinit the OpenLDAP initscript takes care the it does not succeed until the Server is able to process request (by doing some ldapsearch magic). But I also see that samba's init script does not have a dependency on OpenLDAP.
Lars: Should there be "ldap" listed in "Should-Start" of /etc/init.d/smb
I feel that this is an important security issue and I have offered a solution.
I don't see yet why this should be a security issue.
[..]
Reproducible: Always
Steps to Reproduce: 1.Using Yast throughout 2.Create root CA 3.Enter it. create and export common server certificaes 4.Make sure that your FQDN matches the CN of the certificates. 5. LDAP server - use tls - use common server certificate 6. Copy YaST-CA.pem to /srv/www/htdocs 7. ldap client check tls box and download the CA from the webserver (there ought to be a way of specifying a file here rather than have to download it from a webserver) There is. Either just enter a file:/// URL or go to the advanced settings.
There are no 'advanced settings'. I think you mean ;Advanced Configuration.' no?
There you'll find option to either select a file or directory manually. though that it could be implemented better from a usuabilty point of view.e
It really does need improving. It's almost as bad as the Yast printer setup module. Only joking. Yast chooses: /etc/openldap/cacerts/
OTOH, if you setup the LDAP Server on the localhost you shouldn't need to configure any TLS Settings in ldap-client. The yast2-ldap-server module already configures that for you (at least it did here).
Actual Results: Samba does not communicate with LDAP over tls. See error above. Hm, I only get this error once when booting it still seems to work afterwards.
It seems that the CA certificate is not being detected.
The problem can be solved by adding:
TLS_REQCERT hard TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem Usually yast2-ldap-client does this already. Please attach YaST logs (/var/log/YaST/*)
to /etc/openldap/ldap.conf
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.