[389-users] Problem with samba and 389 Directory server with LDAPS

Angel Bosch Mora angbosch at conselldemallorca.net
Wed Sep 28 11:52:20 UTC 2011 

are you sure your certificate is created with your FQDN in it? 

i've had LOT of problems until i've created correctly my certs. 

you can check it with 

openssl x509 -noout -text -in server.crt 

and i recommend that you include your FQDN as Alternative Name even if is your hostname, that trick saved me lot of headaches. i always create my certs with two alternate names, the FQDN itself and also ldap.<mydomain> 

this way you don't have any problems with loadbalancing and such. 

to create a petition cert with alternate names you can run (one line) 

certutil -R -s "CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example" -o example.csr -d . -a -8 myserver.example.com ,ldap.example.com 








[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786) 

smbldap_open_connection: connection opened 

[2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951) 

ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as "cn=Directory Manager" 

[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982) 

failed to bind to server ldaps://”FQDN of server”.stag.cle.us with dn="cn=Directory Manager" Error: Can't contact LDAP server 

(unknown) 



And yes I can resolve the hostname which I have sanitized. 



Thanks for the tip, but that doesn’t seem to help, still have same result. This was just working on another machine but I had to put that one back to the way it was, and must have missed something. Any more thoughts? 





From: 389-users-bounces at lists.fedoraproject.org [mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of Angel Bosch Mora 
Sent: Wednesday, September 28, 2011 3:39 AM 
To: General discussion list for the 389 Directory server project. 
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS 




you have to use FQDN when connecting securely. and you have to use the exact name used in the certificate. 





I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user. 



[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153) 

Connection to LDAP server failed for the 15 try! 

[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630) 

smb_ldap_setup_connection: ldaps://192.168.3.79 

[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786) 

smbldap_open_connection: connection opened 

[2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951) 

ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us" 

[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982) 

failed to bind to server ldaps://192.168.x.x with dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't contact LDAP server 

(unknown) 



Relevant part of the smb.conf 



passdb backend = ldapsam:ldaps://192.168.x.x 

ldap suffix = dc=stag,dc=cle,dc=us 

ldap machine suffix = ou=people 

ldap user suffix = ou=people 

ldap group suffix = ou=groups 

ldap passwd sync = yes 

ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us 

obey pam restrictions = yes 



I was able to run smbpasswd –w to add the dn admin password to the secrets.tdb but am unable to add additional users as well, again getting a cannot contact ldap server message. I had this working on another machine, but that machine was needed for another purpose and lost the setup. I know I must be missing something simple and am checking the HOWTO for samba on the 389-Directory Server site. 

David Hoskinson | DATATRAK International 
Systems Engineer 
Mayfield Heights, Ohio, USA 
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m) 
david.hoskinson at datatrak.net | www.datatrak.net 




-- 
389 users mailing list 
389-users at lists.fedoraproject.org 
https://admin.fedoraproject.org/mailman/listinfo/389-users 


-- 
389 users mailing list 
389-users at lists.fedoraproject.org 
https://admin.fedoraproject.org/mailman/listinfo/389-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110928/482ad8f3/attachment.html>

More information about the 389-users mailing list