On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi Scenario: Lan with 11.4 server and Linux, win-xp and win7 clients. The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS.
No, it doesn't. It allows *Samba* to communicate with the DSA. It is a side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround?
It's bad. If you are using a local DSA then use an ldapi:// uri as this is more secure and faster. If you are using a remote DSA then fix your SSL setup [otherwise in your smb.conf just set "ldap ssl = off"]. You need to setup the host so that you can perform ldapsearch commands [from the command line] with the -ZZ options specified [require TLS to successfully initialize]. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org