[389-users] Problem with samba and 389 Directory server with LDAPS

Rich Megginson rmeggins at redhat.com
Wed Sep 28 14:42:11 UTC 2011


On 09/28/2011 07:39 AM, David Hoskinson wrote:
>
> [root at xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L
>
> Certificate Nickname                                         Trust 
> Attributes
>
>                                                              
> SSL,S/MIME,JAR/XPI
>
> CA certificate                                               CTu,u,u
>
> server-cert                                                  u,u,u
>
> Server-Cert                                                  u,u,u
>
certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-Cert
>
> Thanks Rich….
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Wednesday, September 28, 2011 9:24 AM
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* David Hoskinson
> *Subject:* Re: [389-users] Problem with samba and 389 Directory server 
> with LDAPS
>
> On 09/28/2011 06:47 AM, David Hoskinson wrote:
>
> I do not have a server.crt..  I created my certs using the following 
> page on the 389 documentation
>
> http://directory.fedoraproject.org/wiki/Howto:SSL
>
> which creates a cert8.db and key3.db
>
> in the past I could do certutil –L something and it would show the 
> cert information but can’t seem to find that command anymore.
>
> certutil -d /etc/dirsrv/slapd-instance -L
>
> I can authenticate from localhost and any of the client machines even 
> the samba server just fine… I just can’t seem to get samba service to 
> connect.  If I have setup things incorrectly I appreciate the help.
>
> *From:*389-users-bounces at lists.fedoraproject.org 
> <mailto:389-users-bounces at lists.fedoraproject.org> 
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of 
> *Angel Bosch Mora
> *Sent:* Wednesday, September 28, 2011 7:52 AM
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Problem with samba and 389 Directory server 
> with LDAPS
>
> are you sure your certificate is created with your FQDN in it?
>
> i've had LOT of problems until i've created correctly my certs.
>
> you can check it with
>
>    openssl x509 -noout -text -in server.crt
>
> and i recommend that you include your FQDN as Alternative Name even if 
> is your hostname, that trick saved me lot of headaches. i always 
> create my certs with two alternate names, the FQDN itself and also 
> ldap.<mydomain>
>
> this way you don't have any problems with loadbalancing and such.
>
> to create a petition cert with alternate names you can run (one line)
>
> certutil -R -s 
> "CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example" 
> -o example.csr -d . -a -8 myserver.example.com,ldap.example.com
>
>
> ------------------------------------------------------------------------
>
>     [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786)
>
>       smbldap_open_connection: connection opened
>
>     [2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951)
>
>       ldap_connect_system: Binding to ldap server
>     ldaps://adm301.stag.cle.us as "cn=Directory Manager"
>
>     [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982)
>
>       failed to bind to server ldaps://”FQDN <ldaps://%E2%80%9DFQDN>
>     of server”.stag.cle.us with dn="cn=Directory Manager" Error: Can't
>     contact LDAP server
>
>             (unknown)
>
>     And yes I can resolve the hostname which I have sanitized.
>
>     Thanks for the tip, but that doesn’t seem to help, still have same
>     result.   This was just working on another machine but I had to
>     put that one back to the way it was, and must have missed
>     something.  Any more thoughts?
>
>     *From:*389-users-bounces at lists.fedoraproject.org
>     <mailto:389-users-bounces at lists.fedoraproject.org>
>     [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
>     *Angel Bosch Mora
>     *Sent:* Wednesday, September 28, 2011 3:39 AM
>     *To:* General discussion list for the 389 Directory server project.
>     *Subject:* Re: [389-users] Problem with samba and 389 Directory
>     server with LDAPS
>
>     you have to use FQDN when connecting securely. and you have to use
>     the exact name used in the certificate.
>
>     ------------------------------------------------------------------------
>
>         I am getting the following message in the
>         /var/log/samba/smbd.log file when I start up samba and try to
>         connect as a user.
>
>         [2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153)
>
>           Connection to LDAP server failed for the 15 try!
>
>         [2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630)
>
>           smb_ldap_setup_connection: ldaps://192.168.3.79
>
>         [2011/09/27 14:23:34, 2]
>         lib/smbldap.c:smbldap_open_connection(786)
>
>           smbldap_open_connection: connection opened
>
>         [2011/09/27 14:23:34, 10]
>         lib/smbldap.c:smbldap_connect_system(951)
>
>           ldap_connect_system: Binding to ldap server
>         ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us"
>
>         [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982)
>
>           failed to bind to server ldaps://192.168.x.x with
>         dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't
>         contact LDAP server
>
>                 (unknown)
>
>         Relevant part of the smb.conf
>
>            passdb backend = ldapsam:ldaps://192.168.x.x
>
>            ldap suffix = dc=stag,dc=cle,dc=us
>
>            ldap machine suffix = ou=people
>
>            ldap user suffix = ou=people
>
>            ldap group suffix = ou=groups
>
>            ldap passwd sync = yes
>
>            ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us
>
>            obey pam restrictions = yes
>
>         I was able to run smbpasswd –w to add the dn admin password to
>         the secrets.tdb but am unable to add additional users as well,
>         again getting a cannot contact ldap server message.  I had
>         this working on another machine, but that machine was needed
>         for another purpose and lost the setup.  I know I must be
>         missing something simple and am checking the HOWTO for samba
>         on the 389-Directory Server site.
>
>         David Hoskinson | *DATATRAK*International
>         Systems Engineer
>         Mayfield Heights, Ohio, USA
>         +1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
>         david.hoskinson at datatrak.net
>         <mailto:david.hoskinson at datatrak.net> | www.datatrak.net
>         <http://www.datatrak.net/>
>
>
>         --
>         389 users mailing list
>         389-users at lists.fedoraproject.org
>         <mailto:389-users at lists.fedoraproject.org>
>         https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>     --
>     389 users mailing list
>     389-users at lists.fedoraproject.org
>     <mailto:389-users at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>   
>   
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110928/6a97cd84/attachment.html>


More information about the 389-users mailing list