[root@xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
Thanks Rich….
From: Rich Megginson [mailto:[email protected]]
Sent: Wednesday, September 28, 2011 9:24 AM
To: General discussion list for the 389 Directory server project.
Cc: David Hoskinson
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
On 09/28/2011 06:47 AM, David Hoskinson wrote:
I do not have a server.crt.. I created my certs using the following page on
the 389 documentation
http://directory.fedoraproject.org/wiki/Howto:SSL
which creates a cert8.db and key3.db
in the past I could do certutil –L something and it would show the cert
information but can’t seem to find that command anymore.
certutil -d /etc/dirsrv/slapd-instance -L
I can authenticate from localhost and any of the client machines even the samba
server just fine… I just can’t seem to get samba service to connect. If I have
setup things incorrectly I appreciate the help.
From:
[email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Angel Bosch
Mora
Sent: Wednesday, September 28, 2011 7:52 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
are you sure your certificate is created with your FQDN in it?
i've had LOT of problems until i've created correctly my certs.
you can check it with
openssl x509 -noout -text -in server.crt
and i recommend that you include your FQDN as Alternative Name even if is your
hostname, that trick saved me lot of headaches. i always create my certs with
two alternate names, the FQDN itself and also ldap.<mydomain>
this way you don't have any problems with loadbalancing and such.
to create a petition cert with alternate names you can run (one line)
certutil -R -s
"CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example"
-o example.csr -d . -a -8 myserver.example.com,ldap.example.com
________________________________
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as
"cn=Directory Manager"
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://”FQDN of server”.stag.cle.us with
dn="cn=Directory Manager" Error: Can't contact LDAP server
(unknown)
And yes I can resolve the hostname which I have sanitized.
Thanks for the tip, but that doesn’t seem to help, still have same result.
This was just working on another machine but I had to put that one back to the
way it was, and must have missed something. Any more thoughts?
From:
[email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Angel Bosch
Mora
Sent: Wednesday, September 28, 2011 3:39 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
you have to use FQDN when connecting securely. and you have to use the exact
name used in the certificate.
________________________________
I am getting the following message in the /var/log/samba/smbd.log file when I
start up samba and try to connect as a user.
[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 15 try!
[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630)
smb_ldap_setup_connection: ldaps://192.168.3.79
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as
"cn=directory manager,dc=stag,dc=cle,dc=us"
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://192.168.x.x with dn="cn=directory
manager,dc=stag,dc=cle,dc=us" Error: Can't contact LDAP server
(unknown)
Relevant part of the smb.conf
passdb backend = ldapsam:ldaps://192.168.x.x
ldap suffix = dc=stag,dc=cle,dc=us
ldap machine suffix = ou=people
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us
obey pam restrictions = yes
I was able to run smbpasswd –w to add the dn admin password to the secrets.tdb
but am unable to add additional users as well, again getting a cannot contact
ldap server message. I had this working on another machine, but that machine
was needed for another purpose and lost the setup. I know I must be missing
something simple and am checking the HOWTO for samba on the 389-Directory
Server site.
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
[email protected]<mailto:[email protected]> |
www.datatrak.net<http://www.datatrak.net/>
--
389 users mailing list
[email protected]<mailto:[email protected]>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]<mailto:[email protected]>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]<mailto:[email protected]>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users
