Re: [opensuse] samba and StartTLS [SOLVED]
- From: lynn <lynn@xxxxxxxxxxxx>
- Date: Sun, 13 Nov 2011 07:09:07 +0100
On Friday 11 Nov 2011 23:31:38 lynn wrote:
On 11/11/2011 10:40 PM, Adam Tauno Williams wrote:
On Fri, 2011-11-11 at 20:19 +0100, lynn wrote:
11/10/2011 12:02 PM, lynn wrote:
Hi
Scenario:
Lan with 11.4 server and Linux, win-xp and win7 clients.
The windows clients can login but are denied access to their home
folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556,
0] lib/smbldap.c:731(smb_ldap_start_tls)
Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS
instruction: Connect error
Solved?
Adding:
TLS_REQCERT never
to
/etc/openldap/ldap.conf
allows windows to connect to the samba domain with TLS.
No, it doesn't.
The logs show the name of the person who is logging in from a win 7
client and a successful starttls session for that logon. That's why I
thought it was working.
Correction. They don't. They show a successful STARTTLS between samba and ldap
but please see below.
It allows *Samba* to communicate with the DSA. It is a
side-effect that CIFS/SMB clients then work.
Can anyone comment on the security of this workaround?
It's bad.
If you are using a local DSA then use an ldapi:// uri as this is more
secure and faster.
If you are using a remote DSA then fix your SSL setup [otherwise in your
smb.conf just set "ldap ssl = off"]. You need to setup the host so that
you can perform ldapsearch commands [from the command line] with the -ZZ
options specified [require TLS to successfully initialize].
Sorry don't know what DSA is. But Linux clients can login fine with the
certificates I made for LDAP in place and everyone can logon when I have
ldap ssl = off, but I see no starttls messages in the logs. But wait. If
the ldap and samba servers are on the same machine, do I need tls at all?
Nothing has been setup from a command line. I used Yast in for
everything. So maybe there is a bug in Yast or Samba v3.5.7 as supplied
via opensuse 11.4. I can reproduce this error on 12.1 rc. On 11.3 it
worked out of the box
Confused!
Thanks
It took some heated discussion over on the samba list and I think it must be a
bug in Yast ldap server and samba when 'use tls' is checked in the ldap server
dialogue. Following the yast setup does not work. You have to add:
TLS_REQCERT hard
TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem
to the file
/etc/openldap/ldap.conf
Restart ldap and samba in that order and samba talks to ldap over TLS.
Do you think that I should register as a bug in Yast? If so, do Yast bugs live
at novell bugzilla?
L x
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx
- Follow-Ups:
- Re: [opensuse] samba and StartTLS [SOLVED]
- From: Lars Müller
- Re: [opensuse] samba and StartTLS [SOLVED]
- References:
- [opensuse] samba and StartTLS
- From: lynn
- Re: [opensuse] samba and StartTLS
- From: Adam Tauno Williams
- Re: [opensuse] samba and StartTLS
- From: lynn
- [opensuse] samba and StartTLS
- Prev by Date: Re: [opensuse] Runlevels in 12.1?
- Next by Date: Re: [opensuse] Runlevels in 12.1?
- Previous by thread: Re: [opensuse] samba and StartTLS
- Next by thread: Re: [opensuse] samba and StartTLS [SOLVED]
- Index(es):
Relevant Pages
|
