are you sure your certificate is created with your FQDN in it? i've had LOT of problems until i've created correctly my certs.
you can check it with openssl x509 -noout -text -in server.crt and i recommend that you include your FQDN as Alternative Name even if is your hostname, that trick saved me lot of headaches. i always create my certs with two alternate names, the FQDN itself and also ldap.<mydomain> this way you don't have any problems with loadbalancing and such. to create a petition cert with alternate names you can run (one line) certutil -R -s "CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example" -o example.csr -d . -a -8 myserver.example.com ,ldap.example.com [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951) ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as "cn=Directory Manager" [2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldaps://”FQDN of server”.stag.cle.us with dn="cn=Directory Manager" Error: Can't contact LDAP server (unknown) And yes I can resolve the hostname which I have sanitized. Thanks for the tip, but that doesn’t seem to help, still have same result. This was just working on another machine but I had to put that one back to the way it was, and must have missed something. Any more thoughts? From: [email protected] [mailto:[email protected]] On Behalf Of Angel Bosch Mora Sent: Wednesday, September 28, 2011 3:39 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS you have to use FQDN when connecting securely. and you have to use the exact name used in the certificate. I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user. [2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 15 try! [2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630) smb_ldap_setup_connection: ldaps://192.168.3.79 [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951) ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us" [2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldaps://192.168.x.x with dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't contact LDAP server (unknown) Relevant part of the smb.conf passdb backend = ldapsam:ldaps://192.168.x.x ldap suffix = dc=stag,dc=cle,dc=us ldap machine suffix = ou=people ldap user suffix = ou=people ldap group suffix = ou=groups ldap passwd sync = yes ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us obey pam restrictions = yes I was able to run smbpasswd –w to add the dn admin password to the secrets.tdb but am unable to add additional users as well, again getting a cannot contact ldap server message. I had this working on another machine, but that machine was needed for another purpose and lost the setup. I know I must be missing something simple and am checking the HOWTO for samba on the 389-Directory Server site. David Hoskinson | DATATRAK International Systems Engineer Mayfield Heights, Ohio, USA +1.440.443.0082 x 124 (p) | +1.216.280.5457 (m) [email protected] | www.datatrak.net -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
