Mailinglist Archive: opensuse (1786 mails)

< Previous Next >
Re: [opensuse] samba and StartTLS [SOLVED]
On Friday 11 Nov 2011 23:31:38 lynn wrote:
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote:
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi
Scenario:
Lan with 11.4 server and Linux, win-xp and win7 clients.
The windows clients can login but are denied access to their home
folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556,
0] lib/smbldap.c:731(smb_ldap_start_tls)
Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS
instruction: Connect error

Solved?
Adding:
TLS_REQCERT never
to
/etc/openldap/ldap.conf
allows windows to connect to the samba domain with TLS.

No, it doesn't.

The logs show the name of the person who is logging in from a win 7
client and a successful starttls session for that logon. That's why I
thought it was working.

Correction. They don't. They show a successful STARTTLS between samba and ldap
but please see below.

It allows *Samba* to communicate with the DSA. It is a

side-effect that CIFS/SMB clients then work.

Can anyone comment on the security of this workaround?

It's bad.

If you are using a local DSA then use an ldapi:// uri as this is more
secure and faster.

If you are using a remote DSA then fix your SSL setup [otherwise in your
smb.conf just set "ldap ssl = off"]. You need to setup the host so that
you can perform ldapsearch commands [from the command line] with the -ZZ
options specified [require TLS to successfully initialize].

Sorry don't know what DSA is. But Linux clients can login fine with the
certificates I made for LDAP in place and everyone can logon when I have
ldap ssl = off, but I see no starttls messages in the logs. But wait. If
the ldap and samba servers are on the same machine, do I need tls at all?

Nothing has been setup from a command line. I used Yast in for
everything. So maybe there is a bug in Yast or Samba v3.5.7 as supplied
via opensuse 11.4. I can reproduce this error on 12.1 rc. On 11.3 it
worked out of the box

Confused!
Thanks

It took some heated discussion over on the samba list and I think it must be a
bug in Yast ldap server and samba when 'use tls' is checked in the ldap server
dialogue. Following the yast setup does not work. You have to add:

TLS_REQCERT hard
TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem

to the file

/etc/openldap/ldap.conf

Restart ldap and samba in that order and samba talks to ldap over TLS.

Do you think that I should register as a bug in Yast? If so, do Yast bugs live
at novell bugzilla?
L x


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups