| Summary: | samba & LDAP, client certificates do not work | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Spurek <Spurek.D> | ||||
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | asn, dpal, gdeschner, jlayton, peljasz, ssorce | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-01-30 09:55:01 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Can you please explain your use case? Which part of samba you are referring to: file server or winbind? Use case testing OpenLDAP's NSS backend. LDAP server requires client certificates. smb.conf is configured with TLS (later in test with SSL) option. Then user smbtstuser addded to ldap. With smbclient test smbtstuser can access samba server. Hi there, yes, for a long time I believed there was something wrong with my samba config, well it is still possible. according to samba doc these option configure tls connection to ldap: passdb backend = ldapsam:ldaps:// OR passdb backend = ldapsam:ldap:// ldap ssl = start tls I'm my own CA, locally and have certificate singed this way, for openldap. Everything else works just fine: smbldap-tools nss_ldap pam_ldap all above tools having `start_tls` in their settings can access ldap server and retrieve information from it. Only samba cannot, at least I ain't able to get it work. So I really wonder if it is not our Samba package that is buggy in some way. Yet I have not had a chance to test mainstream Samaba. On the hand, samba 3.5.6 on F13 seems to be just fine. 3.5.8 on F14 fails. I just get plenty of these: Apr 12 13:41:35 whale smbd[1808]: Failed to issue the StartTLS instruction: Connect error Apr 12 13:41:37 whale smbd[1808]: [2011/04/12 13:41:37.330752, 0] lib/smbldap.c:731(smb_ldap_start_tls) Apr 12 13:41:37 whale smbd[1808]: Failed to issue the StartTLS instruction: Connect error Apr 12 13:41:39 whale smbd[1808]: [2011/04/12 13:41:39.332087, 0] lib/smbldap.c:731(smb_ldap_start_tls) Apr 12 13:41:39 whale smbd[1808]: Failed to issue the StartTLS instruction: Connect error regards Pawel |
Created attachment 491317 [details] Test Description of problem: When configuring samba through ldap such that server requires client certificates, connection does not work, smbclient cannot access to samba. When client verification is dropped (but SSL/TLS and server verification is still enabled), everything works fine. Version-Release number of selected component (if applicable): samba-3.5.8-68.fc15.1.i686 How reproducible: Always Steps to Reproduce: 1. Configure samba to works with openldap over SSL/TLS with both server and client certificates, create user on ldap server, try to access samba with user on ldap. Additional info: For a detailed reproducer including all necessary configuration, see attached test, it is written using beakerlib (install beakerlib package). Run it as root from the test directory by 'bash runtesh.sh'.