Samba & OpenLDAP & TLS Problems...

kastor · Jan 8, 2014

Hi,

I'm currently setting up a new FreeBSD machine which is mainly acting as a file server using Samba. The user accounts are stored centrally in an LDAP server (OpenLDAP slapd 2.4.23, self compiled to use OpenSSL instead of GnuTLS), which is also used by other services and runs on Debian. The accounts are stored and maintained with the Samba LDAP scheme and the smb-ldap scripts.

I've trouble setting up the LDAP connectivity of Samba. The setup of the Samba host:

FreeBSD 10 RC4, amd64
Samba Version 3.6.22 (port with default options, including LDAP support)

Samba configuration:

Code:

$ testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[home]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        dos charset = CP865
        unix charset = iso-8859-1
        display charset = iso-8859-1
        workgroup = WORKGROUP
        server string = File Server
        passdb backend = ldapsam:ldap://ldap.server:389
        log file = /var/log/samba/log.%m
        unix extensions = No
        name cache timeout = 300
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        ldap admin dn = cn=admin,dc=ldap,dc=server
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap passwd sync = yes
        ldap suffix = dc=ldap,dc=server
        ldap user suffix = ou=users
        ldap debug level = 8
        multicast dns register = No
        ldapsam:trusted = yes
        idmap config * : ldap_base_dn = dc=ldap,dc=server
        idmap config * : ldap_url = ldap://ldap.server:389
        idmap config * : range = 10000 - 20000
        idmap config * : backend = ldap
        use sendfile = Yes
        store dos attributes = Yes
        wide links = Yes

[home]
        comment = home directory
        path = /home/%u
        read only = No
        create mask = 0644
        inherit permissions = Yes

LDAP cient configuration

Code:

$ grep '^[^#]' /usr/local/etc/openldap/ldap.conf
BASE            dc=ldap,dc=server
URI             ldap://ldap.server/
TLS_CACERT      /etc/ssl/ca.pem
TLS_REQCERT     hard

A ldapsearch -x -ZZ works fine.

The problem: whenever I'm starting the Samba service, the connection to the LDAP server fails. Excerpt from the log:

Code:

[2014/01/08 23:47:21.493582,  2] lib/smbldap_util.c:278(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STORAGE))]
[2014/01/08 23:47:21.493722,  5] lib/smbldap.c:1439(smbldap_search_ext)
  smbldap_search_ext: base => [dc=ldap,dc=server], filter => [(&(objectClass=sambaDomain)(sambaDomainName=STORAGE))], scope => [2]
[2014/01/08 23:47:21.493959,  5] lib/smbldap.c:1341(smbldap_close)
  The connection to the LDAP server was closed
[2014/01/08 23:47:21.494025, 10] lib/smbldap.c:819(smb_ldap_setup_conn)
  smb_ldap_setup_connection: ldap://ldap.server:389
[2014/01/08 23:47:21.509539, 10] lib/ldap_debug_handler.c:26(samba_ldap_log_print_fn)
  [LDAP] TLS: can't connect: .
[2014/01/08 23:47:21.510008,  0] lib/smbldap.c:799(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Connect error

The last line is repeated afterwards, and smbd hangs.

On the LDAP server, I'm getting the following log messages in the debug log:

Code:

Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 fd=13 ACCEPT from IP=FREEBSD_SERVER_IP:23970 (IP=0.0.0.0:389)
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 op=0 STARTTLS
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 op=0 RESULT oid= err=0 text=
Jan  8 23:47:21 LDAP slapd[15453]: conn=1047 fd=13 closed (TLS negotiation failure)
...

Does anyone have an idea what am I doing wrong, or knows this problem already?

Thanks in advance!

dburkland · Feb 2, 2014

I am getting the same issue and even when I recompile the "samba36" port without LDAP support the issue still occurs.

Any help would be greatly appreciated.

Thanks,

Dan

kastor · Feb 2, 2014

Hey Dan,

for now, I've a workaround in place using security/stunnel connecting via SSL to the ldap server which provides a local, unencrypted endpoint for net/samba36.

dburkland · Feb 2, 2014

Hi kastor,

Thanks for the information, would you mind posting your stunnel configuration file? I have not dealt much with it and it would help a lot.

Thanks!

Dan

kastor · Feb 2, 2014

The configuration is really a standard one, there is most definitely room for improvement. But at least it brought the net/samba36 server to live again

Code:

client = yes
chroot = /usr/local/lib/stunnel/
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
client = yes
[ldaps]
accept = 127.0.0.1:389
connect = LDAP_SERVER:636

dpejesh · Feb 2, 2014

Doesn't look like your smb.conf has any tls settings which is probably why it's failing when issuing starttls.

dburkland · Feb 2, 2014

That doesn't make any sense as I am using my Samba installation as a standalone server (No LDAP backend). I have tried to install the "samba41" package and it exhibits the same behavior. After doing a truss of the "smbd" process it is definitely looking at "/usr/local/etc/nss_ldap.conf" even though no LDAP functionality is specified within "smb.conf" (or "smb4.conf" if you are using >Samba4.0). I also tried the stunnel method using the aforementioned configuration and no luck either :\ In the mean time I have disabled ldap lookups via "/etc/nsswitch.conf" for the "passwd" & "group" databases which results in Samba working properly (otherwise commands like smbpasswd hang until you kill them).

Any ideas on troubleshooting this further would be very help.

Thanks!

Dan

dpejesh · Feb 2, 2014

dburkland said:
That doesn't make any sense as I am using my Samba installation as a standalone server (No LDAP backend).

My response was to the OP. Your issue doesn't seem related.

After doing a truss of the "smbd" process it is definitely looking at "/usr/local/etc/nss_ldap.conf" even though no LDAP functionality is specified within "smb.conf" (or "smb4.conf" if you are using >Samba4.0).... In the mean time I have disabled ldap lookups via "/etc/nsswitch.conf" for the "passwd" & "group" databases which results in Samba working properly (otherwise commands like smbpasswd hang until you kill them).

I'm not sure exactly what error you're running into, but the reason you're seeing access to nss_ldap.conf is because your Samba installation is talking to PAM and that in turn is talking to LDAP. With the little information I've gathered from your problem, removing ldap from your nsswitch.conf indicates that you have local accounts which Samba is looking for. This makes me believe you had ldap listed first in your nsswitch.conf directives (eg. ldap files). Your LDAP/PAM integration might not be configured to allow the system to fall through to the local files if it fails to find the entries in LDAP (again though, this is just a hunch). My suggestion is to order them as 'files ldap'. This should tell PAM to check local accounts first then LDAP. The OP's problem is that he's trying to have Samba talk directly to LDAP and didn't configure his smb.conf properly.

I also tried the stunnel method using the aforementioned configuration and no luck either :\

I'd stay away from such awful hacks. Best to find the real problem instead of masking it with a shim like this. All he's doing is having stunnel accept the SSL certificate then act as an unencrypted proxy when it's just a few lines of configuration changes that need to be made to smb.conf to tell it where to find the certs.