Bug 695447

Summary: samba & LDAP, client certificates do not work
Product: [Fedora] Fedora Reporter: David Spurek <Spurek.D>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: asn, dpal, gdeschner, jlayton, peljasz, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-30 09:55:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Test none

Description David Spurek 2011-04-11 18:58:16 UTC
Created attachment 491317 [details]
Test

Description of problem:

When configuring samba through ldap such that server requires client
certificates, connection does not work, smbclient cannot access to samba.
When client verification is dropped (but SSL/TLS and server verification is
still enabled), everything works fine. 

Version-Release number of selected component (if applicable):

samba-3.5.8-68.fc15.1.i686

How reproducible:

Always

Steps to Reproduce:

1. Configure samba to works with openldap over SSL/TLS with both server and
client certificates, create user on ldap server, try to access samba with user on ldap.

Additional info:

For a detailed reproducer including all necessary configuration, see attached
test, it is written using beakerlib (install beakerlib package). Run it as root
from the test directory by 'bash runtesh.sh'.

Comment 1 Dmitri Pal 2011-04-11 19:05:32 UTC
Can you please explain your use case? Which part of samba you are referring to: file server or winbind?

Comment 2 David Spurek 2011-04-11 19:35:25 UTC
Use case testing OpenLDAP's NSS backend. LDAP server requires client
certificates. smb.conf is configured with TLS (later in test with SSL) option.
Then user smbtstuser addded to ldap. With smbclient test smbtstuser can access samba server.

Comment 3 lejeczek 2011-04-12 12:52:07 UTC
Hi there,

yes, for a long time I believed there was something wrong with my samba config, well it is still possible.
according to samba doc these option configure tls connection to ldap:

passdb backend = ldapsam:ldaps://
OR
passdb backend = ldapsam:ldap://
ldap ssl = start tls

I'm my own CA, locally and have certificate singed this way, for openldap. Everything else works just fine:

smbldap-tools
nss_ldap
pam_ldap

all above tools having `start_tls` in their settings can access ldap server and retrieve information from it. Only samba cannot, at least I ain't able to get it work.

So I really wonder if it is not our Samba package that is buggy in some way.
Yet I have not had a chance to test mainstream Samaba.
On the hand, samba 3.5.6 on F13 seems to be just fine.
3.5.8 on F14 fails.

I just get plenty of these:

Apr 12 13:41:35 whale smbd[1808]:   Failed to issue the StartTLS instruction: Connect error
Apr 12 13:41:37 whale smbd[1808]: [2011/04/12 13:41:37.330752,  0] lib/smbldap.c:731(smb_ldap_start_tls)
Apr 12 13:41:37 whale smbd[1808]:   Failed to issue the StartTLS instruction: Connect error
Apr 12 13:41:39 whale smbd[1808]: [2011/04/12 13:41:39.332087,  0] lib/smbldap.c:731(smb_ldap_start_tls)
Apr 12 13:41:39 whale smbd[1808]:   Failed to issue the StartTLS instruction: Connect error


regards
Pawel