695447 – samba & LDAP, client certificates do not work

Bug 695447 - samba & LDAP, client certificates do not work

Summary: samba & LDAP, client certificates do not work

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	samba
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-11 18:58 UTC by David Spurek
Modified:	2013-01-30 09:55 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-30 09:55:01 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Test (10.19 KB, application/x-bzip) 2011-04-11 18:58 UTC, David Spurek	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Spurek 2011-04-11 18:58:16 UTC

Created attachment 491317 [details]
Test

Description of problem:

When configuring samba through ldap such that server requires client
certificates, connection does not work, smbclient cannot access to samba.
When client verification is dropped (but SSL/TLS and server verification is
still enabled), everything works fine. 

Version-Release number of selected component (if applicable):

samba-3.5.8-68.fc15.1.i686

How reproducible:

Always

Steps to Reproduce:

1. Configure samba to works with openldap over SSL/TLS with both server and
client certificates, create user on ldap server, try to access samba with user on ldap.

Additional info:

For a detailed reproducer including all necessary configuration, see attached
test, it is written using beakerlib (install beakerlib package). Run it as root
from the test directory by 'bash runtesh.sh'.

Comment 1 Dmitri Pal 2011-04-11 19:05:32 UTC

Can you please explain your use case? Which part of samba you are referring to: file server or winbind?

Comment 2 David Spurek 2011-04-11 19:35:25 UTC

Use case testing OpenLDAP's NSS backend. LDAP server requires client
certificates. smb.conf is configured with TLS (later in test with SSL) option.
Then user smbtstuser addded to ldap. With smbclient test smbtstuser can access samba server.

Comment 3 lejeczek 2011-04-12 12:52:07 UTC

Hi there,

yes, for a long time I believed there was something wrong with my samba config, well it is still possible.
according to samba doc these option configure tls connection to ldap:

passdb backend = ldapsam:ldaps://
OR
passdb backend = ldapsam:ldap://
ldap ssl = start tls

I'm my own CA, locally and have certificate singed this way, for openldap. Everything else works just fine:

smbldap-tools
nss_ldap
pam_ldap

all above tools having `start_tls` in their settings can access ldap server and retrieve information from it. Only samba cannot, at least I ain't able to get it work.

So I really wonder if it is not our Samba package that is buggy in some way.
Yet I have not had a chance to test mainstream Samaba.
On the hand, samba 3.5.6 on F13 seems to be just fine.
3.5.8 on F14 fails.

I just get plenty of these:

Apr 12 13:41:35 whale smbd[1808]:   Failed to issue the StartTLS instruction: Connect error
Apr 12 13:41:37 whale smbd[1808]: [2011/04/12 13:41:37.330752,  0] lib/smbldap.c:731(smb_ldap_start_tls)
Apr 12 13:41:37 whale smbd[1808]:   Failed to issue the StartTLS instruction: Connect error
Apr 12 13:41:39 whale smbd[1808]: [2011/04/12 13:41:39.332087,  0] lib/smbldap.c:731(smb_ldap_start_tls)
Apr 12 13:41:39 whale smbd[1808]:   Failed to issue the StartTLS instruction: Connect error


regards
Pawel

Note You need to log in before you can comment on or make changes to this bug.