Hi, I'm working hard to setup winbind and openLDAP work together with TLS
My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #======================= Global Settings ======================= [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-50000000 idmap gid = 16777216-50000000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config * : range = 16777216-50000000 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://omv.domain.local idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local winbind use default domain = true winbind offline logon = false ; disable enum users/groups on medium or large organization (affects performance) ; if disabled this will disable domain users/groups enumeration with getent winbind enum users = yes winbind enum groups = yes winbind separator = / winbind nested groups = yes ;winbind normalize names = yes winbind refresh tickets = yes ;template primary group = users template shell = /bin/bash template homedir = /home/%D/%U socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes client use spnego = yes #======================= Share Definitions ======================= #======================= Home Directories ======================= [homes] comment = Home directories browseable = yes writable = yes create mask = 0640 directory mask = 0750 valid users = %S ##/etc/ldap/ldap.conf URI ldap://omv.domain.local TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_REQCERT demand ##/root/ldaprc TLS_CERT /etc/ssl/certs/omv-domain-local.crt TLS_KEY /etc/ssl/private/omv-domain-local.key Let me say also that ca-certificates.crt contains the certificate for my self signed authority. What am I missing to make it run smootly ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
