On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS. No, it doesn't. The logs show the name of the person who is logging in from a win 7 client and a successful starttls session for that logon. That's why I
It allows *Samba* to communicate with the DSA. It is a side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround? It's bad.
If you are using a local DSA then use an ldapi:// uri as this is more secure and faster.
If you are using a remote DSA then fix your SSL setup [otherwise in your smb.conf just set "ldap ssl = off"]. You need to setup the host so that you can perform ldapsearch commands [from the command line] with the -ZZ options specified [require TLS to successfully initialize]. Sorry don't know what DSA is. But Linux clients can login fine with the certificates I made for LDAP in place and everyone can logon when I have ldap ssl = off, but I see no starttls messages in the logs. But wait. If
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote: thought it was working. the ldap and samba servers are on the same machine, do I need tls at all? Nothing has been setup from a command line. I used Yast in for everything. So maybe there is a bug in Yast or Samba v3.5.7 as supplied via opensuse 11.4. I can reproduce this error on 12.1 rc. On 11.3 it worked out of the box Confused! Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org