Mailinglist Archive: opensuse (1786 mails)

< Previous Next >
Re: [opensuse] samba and StartTLS
On Fri, 2011-11-11 at 23:31 +0100, lynn wrote:
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote:
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi
Scenario:
Lan with 11.4 server and Linux, win-xp and win7 clients.
The windows clients can login but are denied access to their home folder:
Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0]
lib/smbldap.c:731(smb_ldap_start_tls)
Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS
instruction:
Connect error
Solved?
Adding:
TLS_REQCERT never
to
/etc/openldap/ldap.conf
allows windows to connect to the samba domain with TLS.
No, it doesn't.
The logs show the name of the person who is logging in from a win 7
client and a successful starttls session for that logon. That's why I
thought it was working.
It allows *Samba* to communicate with the DSA. It is a
side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround?
It's bad.
If you are using a local DSA then use an ldapi:// uri as this is more
secure and faster.
If you are using a remote DSA then fix your SSL setup [otherwise in your
smb.conf just set "ldap ssl = off"]. You need to setup the host so that
you can perform ldapsearch commands [from the command line] with the -ZZ
options specified [require TLS to successfully initialize].
Sorry don't know what DSA is.

DSA is "Directory Service Agent". Which is what your 'LDAP server' is.
The DSA makes available one or more Dits to network clients. A Dit is a
"Directory Information Tree"; the hierarchy of objects stored in the
'LDAP database'.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups