Mailinglist Archive: opensuse (1786 mails)

< Previous Next >
Re: [opensuse] samba and StartTLS
On Fri, 2011-11-11 at 23:31 +0100, lynn wrote:
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote:
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Lan with 11.4 server and Linux, win-xp and win7 clients.
The windows clients can login but are denied access to their home folder:
Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0]
Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS
Connect error
allows windows to connect to the samba domain with TLS.
No, it doesn't.
The logs show the name of the person who is logging in from a win 7
client and a successful starttls session for that logon. That's why I
thought it was working.
It allows *Samba* to communicate with the DSA. It is a
side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround?
It's bad.
If you are using a local DSA then use an ldapi:// uri as this is more
secure and faster.
If you are using a remote DSA then fix your SSL setup [otherwise in your
smb.conf just set "ldap ssl = off"]. You need to setup the host so that
you can perform ldapsearch commands [from the command line] with the -ZZ
options specified [require TLS to successfully initialize].
Sorry don't know what DSA is.

DSA is "Directory Service Agent". Which is what your 'LDAP server' is.
The DSA makes available one or more Dits to network clients. A Dit is a
"Directory Information Tree"; the hierarchy of objects stored in the
'LDAP database'.

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups