Hi, I found a possible workaround to my issue myself. It seems to be working.
After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT="/etc/ssl/certs/omv-domain-local.crt" export LDAPTLS_KEY="/etc/ssl/private/omv-domain-local.key" I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek <[email protected]> > Hi, > > I'm working hard to setup winbind and openLDAP work together with TLS > > My networks contains: > - a windows server 2008 R2 domain controller > - a debian 6 based file server (openmediavault v0.4) running OpenLDAP > 2.4.23 and Samba v3.5.6 > - a debian 7 computer running winbind 3.6.6 > > I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant > uid and gid for users on all linux based computers and then use both CIFS > and NFS. > > I'm trying to solve my issue on openmediavault (debian 6) only for now, > because I get the exact same issue when trying to establish communication > between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). > > I created a self signed certificate authority with openssl and created a > private key and a certificate for te file server. I used the same > certificate authority to create an other key and certificate for my debian > 7 computer. > > OpenLDAP uses his key and is configured to check clients certificates. > winbind on the same computer uses the same key and certificate to > communicate with openLDAP and is configured to check the openLDAP's > certificate. > > When running winbind in interactive debug mode everything is running file > and wbinfo -i user is able to allocate an uid to the user. an other try > shows the uid assigned is effectively retrived from openLDAP. The command > line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried > also to run openLDAP in debug mode with the command line slapd -d 1. > > the logs produced show that openLDAP and winbind work together with > encryption in both directions. > > When I run winbind daemon with the command line service winbind start, the > TLS connection cannot be initiated and I cannot allocate a uid to any user > using wbinfo -i user. > > Let's see the configuration files (domain name obsfucated) : > > ##cn=config.ldif > > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 > creatorsName: cn=config > createTimestamp: 20130803105505Z > olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt > olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key > olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt > olcTLSVerifyClient: demand > entryCSN: 20130803125708.704922Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20130803125708Z > > ##smb.conf > #======================= Global Settings ======================= > [global] > workgroup = DOMAIN > server string = %h server > include = /etc/samba/dhcp.conf > dns proxy = no > log level = 0 > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog only = yes > panic action = /usr/share/samba/panic-action %d > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = no > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* > %n\n *password\supdated\ssuccessfully* . > pam password change = yes > socket options = TCP_NODELAY IPTOS_LOWDELAY > guest account = nobody > load printers = no > disable spoolss = yes > printing = bsd > printcap name = /dev/null > unix extensions = yes > wide links = no > create mask = 0777 > directory mask = 0777 > use sendfile = no > null passwords = no > local master = yes > time server = no > wins support = no > password server = * > realm = DOMAIN.LOCAL > security = ads > allow trusted domains = no > > ; > ; samba 3.5.6 idmap configuration > ; > > idmap backend = ldap:ldap://omv.domain.local > ldap admin dn = cn=winbind-idmap,dc=domain,dc=local > ldap idmap suffix = ou=Idmap > ldap suffix = dc=domain,dc=local > ldap ssl = start tls > ldap debug level = 4 > ldap debug threshold = 1 > > idmap uid = 16777216-50000000 > idmap gid = 16777216-50000000 > idmap config * : backend = ldap > idmap config * : ldap_url = ldap://omv.domain.local > idmap config * : ldap_anon = no > idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local > idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local > idmap config * : range = 16777216-50000000 > > idmap alloc backend = ldap > idmap alloc config : ldap_url = ldap://omv.domain.local > idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local > idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local > > winbind use default domain = true > winbind offline logon = false > > ; disable enum users/groups on medium or large organization (affects > performance) > ; if disabled this will disable domain users/groups enumeration with getent > winbind enum users = yes > winbind enum groups = yes > > winbind separator = / > winbind nested groups = yes > ;winbind normalize names = yes > winbind refresh tickets = yes > ;template primary group = users > template shell = /bin/bash > template homedir = /home/%D/%U > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > client ntlmv2 auth = yes > client use spnego = yes > > #======================= Share Definitions ======================= > #======================= Home Directories ======================= > [homes] > comment = Home directories > browseable = yes > writable = yes > create mask = 0640 > directory mask = 0750 > valid users = %S > > ##/etc/ldap/ldap.conf > URI ldap://omv.domain.local > TLS_CACERT /etc/ssl/certs/ca-certificates.crt > > TLS_REQCERT demand > > ##/root/ldaprc > > TLS_CERT /etc/ssl/certs/omv-domain-local.crt > TLS_KEY /etc/ssl/private/omv-domain-local.key > > Let me say also that ca-certificates.crt contains the certificate for my > self signed authority. > > What am I missing to make it run smootly ? > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
