[opensuse] samba and StartTLS
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The Linux clients can login fine under TLS: Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=0 STARTTLS Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=0 RESULT oid= err=0 text= Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 fd=23 TLS established tls_ssf=256 ssf=256 Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=1 BIND dn="" method=128 <- - - lots of lines cut - - -> Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=3 BIND dn="uid=lynn2,ou=people,dc=site" method=128 The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error If smb.conf contains the line: ldap ssl = start tls windows clients can login, but are denied access to do anything with their home folders. Uncommenting this line and resarting smb allows windows clients both to login and gain access to their home folder. Summary: Samba without TLS works. Samba with TLS doesn't. Can I confirm: 1. That LDAP is working. 2. That the CA and server certificates (signed by the CA) are correct. 3. The problem is with smb.conf 4. There is a bug in the Yast samba server setup and lastly after much googling and reading, can anyone help me get rid of the samba tls issue? Thanks L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients.
The windows clients can login but are denied access to their home folder:
Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error
Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS. Can anyone comment on the security of this workaround? Thanks L -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS.
No, it doesn't. It allows *Samba* to communicate with the DSA. It is a side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround?
It's bad. If you are using a local DSA then use an ldapi:// uri as this is more secure and faster. If you are using a remote DSA then fix your SSL setup [otherwise in your smb.conf just set "ldap ssl = off"]. You need to setup the host so that you can perform ldapsearch commands [from the command line] with the -ZZ options specified [require TLS to successfully initialize]. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS. No, it doesn't. The logs show the name of the person who is logging in from a win 7 client and a successful starttls session for that logon. That's why I
It allows *Samba* to communicate with the DSA. It is a side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround? It's bad.
If you are using a local DSA then use an ldapi:// uri as this is more secure and faster.
If you are using a remote DSA then fix your SSL setup [otherwise in your smb.conf just set "ldap ssl = off"]. You need to setup the host so that you can perform ldapsearch commands [from the command line] with the -ZZ options specified [require TLS to successfully initialize]. Sorry don't know what DSA is. But Linux clients can login fine with the certificates I made for LDAP in place and everyone can logon when I have ldap ssl = off, but I see no starttls messages in the logs. But wait. If
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote: thought it was working. the ldap and samba servers are on the same machine, do I need tls at all? Nothing has been setup from a command line. I used Yast in for everything. So maybe there is a bug in Yast or Samba v3.5.7 as supplied via opensuse 11.4. I can reproduce this error on 12.1 rc. On 11.3 it worked out of the box Confused! Thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday 11 Nov 2011 23:31:38 lynn wrote:
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote:
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error
Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS.
No, it doesn't.
The logs show the name of the person who is logging in from a win 7 client and a successful starttls session for that logon. That's why I thought it was working.
Correction. They don't. They show a successful STARTTLS between samba and ldap but please see below.
It allows *Samba* to communicate with the DSA. It is a
side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround?
It's bad.
If you are using a local DSA then use an ldapi:// uri as this is more secure and faster.
If you are using a remote DSA then fix your SSL setup [otherwise in your smb.conf just set "ldap ssl = off"]. You need to setup the host so that you can perform ldapsearch commands [from the command line] with the -ZZ options specified [require TLS to successfully initialize].
Sorry don't know what DSA is. But Linux clients can login fine with the certificates I made for LDAP in place and everyone can logon when I have ldap ssl = off, but I see no starttls messages in the logs. But wait. If the ldap and samba servers are on the same machine, do I need tls at all?
Nothing has been setup from a command line. I used Yast in for everything. So maybe there is a bug in Yast or Samba v3.5.7 as supplied via opensuse 11.4. I can reproduce this error on 12.1 rc. On 11.3 it worked out of the box
Confused! Thanks
It took some heated discussion over on the samba list and I think it must be a bug in Yast ldap server and samba when 'use tls' is checked in the ldap server dialogue. Following the yast setup does not work. You have to add: TLS_REQCERT hard TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem to the file /etc/openldap/ldap.conf Restart ldap and samba in that order and samba talks to ldap over TLS. Do you think that I should register as a bug in Yast? If so, do Yast bugs live at novell bugzilla? L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Nov 13, 2011 at 07:09:07AM +0100, lynn wrote: [ 8< ]
It took some heated discussion over on the samba list and I think it must be a bug in Yast ldap server and samba when 'use tls' is checked in the ldap server dialogue. Following the yast setup does not work. You have to add:
TLS_REQCERT hard TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem
to the file
/etc/openldap/ldap.conf
Restart ldap and samba in that order and samba talks to ldap over TLS.
Do you think that I should register as a bug in Yast? If so, do Yast bugs live at novell bugzilla?
Please do and also add a pointer to the archived thread at https://lists.samba.org/ and to this thread archived at http://lists.opensuse.org/opensuse/2011-11/msg00363.html As you started several threads around this topic please also consider to add pointers to the others too. Then it's much easier for the YaST developers to follow and to address the issue. And yes, the bug tracker for YaST and all openSUSE and SUSE Linux Enterprise issues still is at bugzilla.novell.com Unfortunately nobody spoke up to maintain a separate bugzilla instance for openSUSE. And I must warn you this is a lot of work. Björn and I did this for the Samba bugzilla and even if we had lot of fun and coffee at the SerNet office it nevertheless was somehow painful. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Do you think that I should register as a bug in Yast?
Please do https://bugzilla.novell.com/show_bug.cgi?id=730046
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Nov 13, 2011 at 07:31:56PM +0100, lynn wrote:
Do you think that I should register as a bug in Yast?
Please do https://bugzilla.novell.com/show_bug.cgi?id=730046
Thnaks. But unfortunately the pointers to this thread and the thread at samba.org are missing. See the suggestion/ request made with this posting http://lists.opensuse.org/opensuse/2011-11/msg00456.html Thanks. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Monday 14 Nov 2011 10:03:57 Lars Müller wrote:
On Sun, Nov 13, 2011 at 07:31:56PM +0100, lynn wrote:
Do you think that I should register as a bug in Yast?
Please do
Thnaks. But unfortunately the pointers to this thread and the thread at samba.org are missing.
See the suggestion/ request made with this posting http://lists.opensuse.org/opensuse/2011-11/msg00456.html
Thanks.
Lars
Added. https://lists.samba.org/archive/samba/2011-November/164820.html Cheers L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Nov 14, 2011 at 01:37:31PM +0100, lynn wrote:
On Monday 14 Nov 2011 10:03:57 Lars Müller wrote:
On Sun, Nov 13, 2011 at 07:31:56PM +0100, lynn wrote: [ 8< ]
Thnaks. But unfortunately the pointers to this thread and the thread at samba.org are missing.
See the suggestion/ request made with this posting http://lists.opensuse.org/opensuse/2011-11/msg00456.html
Added. https://lists.samba.org/archive/samba/2011-November/164820.html
Thx Steve. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, 2011-11-11 at 23:31 +0100, lynn wrote:
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS. No, it doesn't. The logs show the name of the person who is logging in from a win 7 client and a successful starttls session for that logon. That's why I
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote: thought it was working.
Can anyone comment on the security of this workaround? It's bad. If you are using a local DSA then use an ldapi:// uri as this is more secure and faster. If you are using a remote DSA then fix your SSL setup [otherwise in your smb.conf just set "ldap ssl = off"]. You need to setup the host so that you can perform ldapsearch commands [from the command line] with the -ZZ
It allows *Samba* to communicate with the DSA. It is a side-effect that CIFS/SMB clients then work. options specified [require TLS to successfully initialize]. Sorry don't know what DSA is.
DSA is "Directory Service Agent". Which is what your 'LDAP server' is. The DSA makes available one or more Dits to network clients. A Dit is a "Directory Information Tree"; the hierarchy of objects stored in the 'LDAP database'. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Sorry don't know what DSA is.
DSA is "Directory Service Agent". Which is what your 'LDAP server' is. The DSA makes available one or more Dits to network clients. A Dit is a "Directory Information Tree"; the hierarchy of objects stored in the 'LDAP database'.
Thanks Adam Got it and added it to my long list of acros! L -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/14/2011 4:37 AM, lynn wrote:
On Monday 14 Nov 2011 10:03:57 Lars M�ller wrote:
On Sun, Nov 13, 2011 at 07:31:56PM +0100, lynn wrote:
Do you think that I should register as a bug in Yast?
Please do
Thnaks. But unfortunately the pointers to this thread and the thread at samba.org are missing.
See the suggestion/ request made with this posting http://lists.opensuse.org/opensuse/2011-11/msg00456.html
Thanks.
Lars
Added. https://lists.samba.org/archive/samba/2011-November/164820.html
Cheers L x
By the way, thanks for bird dogging this issue for all of us Lynn. Not everybody runs the environment you do, and it takes a squeaky wheel to get these corner cases greased so that they work as expected when more large installations come on line using your configuration. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/14/2011 07:18 PM, John Andersen wrote:
On 11/14/2011 4:37 AM, lynn wrote:
On Monday 14 Nov 2011 10:03:57 Lars M�ller wrote:
On Sun, Nov 13, 2011 at 07:31:56PM +0100, lynn wrote:
Do you think that I should register as a bug in Yast?
Please do
Thnaks. But unfortunately the pointers to this thread and the thread at samba.org are missing.
See the suggestion/ request made with this posting http://lists.opensuse.org/opensuse/2011-11/msg00456.html
Thanks.
Lars
Added. https://lists.samba.org/archive/samba/2011-November/164820.html
Cheers L x
By the way, thanks for bird dogging this issue for all of us Lynn. Not everybody runs the environment you do, and it takes a squeaky wheel to get these corner cases greased so that they work as expected when more large installations come on line using your configuration.
Well, I just hope that the Yast gurus will accept the bug and make it easier for everyone. We are not asking them to fix anything, just approve our solution. It's easy to reproduce and it _is_a solution rather than a workaround. It would make a secure, heterogeneous single sign on lan within reach of anyone who can click a mouse. No other distro comes anywhere close. Consultants will laugh at you when you propose Linux as a server. What they want is to sell you is windows, throw away the Linux boxes and charge you 100 Euros an hour to come and install it, a monthly maintenance contract. . . And still not have SSO! Saludos L -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/14/2011 11:55 AM, lynn wrote:
Consultants will laugh at you when you propose Linux as a server.
Not so much anymore. I propose it often, and have sold more than a few SLES licenses in my day job. Since way back in the SLES 9 days, I've seen no other distro that integrated ldap so well into the entire installation. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen [14.11.2011 21:20]:
I propose it often, and have sold more than a few SLES licenses in my day job. Since way back in the SLES 9 days, I've seen no other distro that integrated ldap so well into the entire installation.
You're very right about LDAP integration. At our office, we have to recommend Ubuntu as desktop Linux, and it's a hassle to find out which config to store where, especially when packages change their config without further notice (like, from /etc/ldap.conf to /etc/ldap/ldap.conf). The SUSE family is very comfortable to configure via YaST, and you can still search afterwards where your changes went ;-) and make them scriptable. A few clicks and a server's name - and LDAP auth works. Needed additional packages are installed automatically. Compared to *buntu - wow! I know why I love SUSE :-) Regards, Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Adam Tauno Williams
-
John Andersen
-
Lars Müller
-
lynn
-
Werner Flamme