Samba 4 ldaps:// server functionality

Monday, June 10. 2013

My Fedora 19 project continues... An attempt to get Samba working. They upgraded into version 4 and obviously my version 3 smb.conf had issues. See my article about getting Samba to use LDAP as userbase backend.

The obvious problem was, that it didn't work. :-(

A log entry from the failue:

../source3/lib/smbldap.c:575(smbldap_start_tls)
  Failed to issue the StartTLS instruction: Connect error
../source3/passdb/pdb_ldap.c:6531(pdb_ldapsam_init_common)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
../source3/passdb/pdb_interface.c:177(make_pdb_method_name)
  pdb backend ldapsam:ldap://my.server did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

I confirmed the existing settings:

passdb backend = ldapsam:ldap://my.server
ldap ssl = start tls

After a nice while of reading manual pages, an attempt to fix:

passdb backend = ldapsam:ldaps://my.server
ldap ssl = off

Yielded an improvement:

../source3/lib/smbldap.c:998(smbldap_connect_system)
  failed to bind to server ldaps://my.server with dn="uid=root,ou=People,dc=my,dc=domain" Error: Can't contact LDAP server
        TLS error -8179:Peer's Certificate issuer is not recognized.
../source3/passdb/pdb_ldap.c:6531(pdb_ldapsam_init_common)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
../source3/passdb/pdb_interface.c:177(make_pdb_method_name)
  pdb backend ldapsam:ldaps://my.server did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

This, however, was an easy fix. It was a simple SElinux issue:

semanage fcontext -a -t cert_t /etc/openldap/cacerts
restorecon -R -v /etc/openldap/cacerts

To my amazement SElinux context does not change on a local unix-socket request. When Samba makes the request to get user information, the LDAPd certificate store needs to have proper SElinux type for the directory. OpenLDAP does not make such checks and works fully.

Also allowing requests to home directories too:

setsebool -P samba_enable_home_dirs 1

After all this, I was happy to get my Samba-shares working again. CUPS-printing does not. But I'll fix that on some day.

by Jari Turkia in Linux at 20:00 | Comments (4) | Share in LinkedIn
(Page 1 of 1, totaling 1 entries)

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back June '13 Forward
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License