# Samba & OpenLDAP & TLS Problems...



## kastor (Jan 8, 2014)

Hi,

I'm currently setting up a new FreeBSD machine which is mainly acting as a file server using *S*amba. The user accounts are stored centrally in an LDAP server (OpenLDAP slapd 2.4.23, self compiled to use OpenSSL instead of GnuTLS), which is also used by other services and runs on Debian. The accounts are stored and maintained with the *S*amba LDAP scheme and the smb-ldap scripts.

I've trouble setting up the LDAP connectivity of *S*amba. The setup of the *S*amba host:

FreeBSD 10 RC4, amd64
Samba Version 3.6.22 (port with default options, including LDAP support)

Samba *c*onfiguration:


```
$ testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[home]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        dos charset = CP865
        unix charset = iso-8859-1
        display charset = iso-8859-1
        workgroup = WORKGROUP
        server string = File Server
        passdb backend = ldapsam:ldap://ldap.server:389
        log file = /var/log/samba/log.%m
        unix extensions = No
        name cache timeout = 300
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap admin dn = cn=admin,dc=ldap,dc=server
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap passwd sync = yes
        ldap suffix = dc=ldap,dc=server
        ldap user suffix = ou=users
        ldap debug level = 8
        multicast dns register = No
        ldapsam:trusted = yes
        idmap config * : ldap_base_dn = dc=ldap,dc=server
        idmap config * : ldap_url = ldap://ldap.server:389
        idmap config * : range = 10000 - 20000
        idmap config * : backend = ldap
        use sendfile = Yes
        store dos attributes = Yes
        wide links = Yes

[home]
        comment = home directory
        path = /home/%u
        read only = No
        create mask = 0644
        inherit permissions = Yes
```

LDAP cient configuration


```
$ grep '^[^#]' /usr/local/etc/openldap/ldap.conf
BASE            dc=ldap,dc=server
URI             ldap://ldap.server/
TLS_CACERT      /etc/ssl/ca.pem
TLS_REQCERT     hard
```

A `ldapsearch -x -ZZ` works fine.

The problem: whenever I'm starting the *S*amba service, the connection to the LDAP server fails. Excerpt from the log:


```
[2014/01/08 23:47:21.493582,  2] lib/smbldap_util.c:278(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STORAGE))]
[2014/01/08 23:47:21.493722,  5] lib/smbldap.c:1439(smbldap_search_ext)
  smbldap_search_ext: base => [dc=ldap,dc=server], filter => [(&(objectClass=sambaDomain)(sambaDomainName=STORAGE))], scope => [2]
[2014/01/08 23:47:21.493959,  5] lib/smbldap.c:1341(smbldap_close)
  The connection to the LDAP server was closed
[2014/01/08 23:47:21.494025, 10] lib/smbldap.c:819(smb_ldap_setup_conn)
  smb_ldap_setup_connection: ldap://ldap.server:389
[2014/01/08 23:47:21.509539, 10] lib/ldap_debug_handler.c:26(samba_ldap_log_print_fn)
  [LDAP] TLS: can't connect: .
[2014/01/08 23:47:21.510008,  0] lib/smbldap.c:799(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Connect error
```

The last line is repeated afterwards, and smbd hangs.

On the LDAP server, I'm getting the following log messages in the debug log:


```
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 fd=13 ACCEPT from IP=FREEBSD_SERVER_IP:23970 (IP=0.0.0.0:389)
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 op=0 STARTTLS
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 op=0 RESULT oid= err=0 text=
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 fd=13 closed (TLS negotiation failure)
...
```

Does anyone have an idea what am I doing wrong, or knows this problem already?

Thanks in advance!


----------



## dburkland (Feb 2, 2014)

I am getting the same  issue and even when I recompile the "samba36" port without LDAP support the issue still occurs.

Any help would be greatly appreciated.

Thanks,

Dan


----------



## kastor (Feb 2, 2014)

Hey Dan,

for now, I've a workaround in place using security/stunnel connecting via SSL to the ldap server which provides a local, unencrypted endpoint for net/samba36.


----------



## dburkland (Feb 2, 2014)

Hi kastor,

Thanks for the information, would you mind posting your stunnel configuration file? I have not dealt much with it and it would help a lot.

Thanks!

Dan


----------



## kastor (Feb 2, 2014)

The configuration is really a standard one, there is most definitely room for improvement. But at least it brought the net/samba36 server to live again 


```
client = yes
chroot = /usr/local/lib/stunnel/
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
client = yes
[ldaps]
accept = 127.0.0.1:389
connect = LDAP_SERVER:636
```


----------



## dpejesh (Feb 2, 2014)

Doesn't look like your smb.conf has any tls settings which is probably why it's failing when issuing starttls.


----------



## dburkland (Feb 2, 2014)

That doesn't make any sense as I am using my Samba installation as a standalone server (No LDAP backend). I have tried to install the "samba41" package and it exhibits the same behavior. After doing a truss of the "smbd" process it is definitely looking at "/usr/local/etc/nss_ldap.conf" even though no LDAP functionality is specified within "smb.conf" (or "smb4.conf" if you are using >Samba4.0). I also tried the stunnel method using the aforementioned configuration and no luck either :\ In the  mean time I have disabled ldap lookups via "/etc/nsswitch.conf" for the "passwd" & "group" databases which results in Samba working properly (otherwise commands like smbpasswd hang until you kill them).

Any ideas on troubleshooting this further would be very help.

Thanks!

Dan


----------



## dpejesh (Feb 2, 2014)

dburkland said:
			
		

> That doesn't make any sense as I am using my Samba installation as a standalone server (No LDAP backend).



My response was to the OP.  Your issue doesn't seem related.



> After doing a truss of the "smbd" process it is definitely looking at "/usr/local/etc/nss_ldap.conf" even though no LDAP functionality is specified within "smb.conf" (or "smb4.conf" if you are using >Samba4.0).... In the mean time I have disabled ldap lookups via "/etc/nsswitch.conf" for the "passwd" & "group" databases which results in Samba working properly (otherwise commands like smbpasswd hang until you kill them).



I'm not sure exactly what error you're running into, but the reason you're seeing access to nss_ldap.conf is because your Samba installation is talking to PAM and that in turn is talking to LDAP.  With the little information I've gathered from your problem, removing ldap from your nsswitch.conf indicates that you have local accounts which Samba is looking for.  This makes me believe you had ldap listed first in your nsswitch.conf directives (eg. ldap files). Your LDAP/PAM integration might not be configured to allow the system to fall through to the local files if it fails to find the entries in LDAP (again though, this is just a hunch). My suggestion is to order them as 'files ldap'.  This should tell PAM to check local accounts first then LDAP.  The OP's problem is that he's trying to have Samba talk directly to LDAP and didn't configure his smb.conf properly.



> I also tried the stunnel method using the aforementioned configuration and no luck either :\



I'd stay away from such awful hacks.  Best to find the real problem instead of masking it with a shim like this.  All he's doing is having stunnel accept the SSL certificate then act as an unencrypted proxy when it's just a few lines of configuration changes that need to be made to smb.conf to tell it where to find the certs.


----------

