Did you try using LDAPS (ldap over SSL, typically on port 636.) I
can't speak specifically about it with winbind BUT I have found that in
other situations LDAPS creates less headaches with CA cert issues.
On 08/06/13 05:27, thierry DeTheGeek wrote:
Hi,
I found a possible workaround to my issue myself. It seems to be working.
After reading one more time about ldap.conf I tried to export environment
variables to set my private key and my certificate.
This seems to be working on both debian 6 and debian 7:
I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that
winbind cannot work with OpenLDAP in debug mode, as expected.
I edited /etc/defaults/winbind and added the following lines
export LDAPTLS_CERT="/etc/ssl/certs/omv-domain-local.crt"
export LDAPTLS_KEY="/etc/ssl/private/omv-domain-local.key"
I restarted winbind with the command line service winbind restart. Now
wbinfo -i user is working and I get an uid for the user.
I will check further to ensure there is no more related issue.
2013/8/5 thierry DeTheGeek <detheg...@gmail.com>
Hi,
I'm working hard to setup winbind and openLDAP work together with TLS
My networks contains:
- a windows server 2008 R2 domain controller
- a debian 6 based file server (openmediavault v0.4) running OpenLDAP
2.4.23 and Samba v3.5.6
- a debian 7 computer running winbind 3.6.6
I want to let OpenLDAP store SID <=> uig/gid mapping to ensure constant
uid and gid for users on all linux based computers and then use both CIFS
and NFS.
I'm trying to solve my issue on openmediavault (debian 6) only for now,
because I get the exact same issue when trying to establish communication
between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).
I created a self signed certificate authority with openssl and created a
private key and a certificate for te file server. I used the same
certificate authority to create an other key and certificate for my debian
7 computer.
OpenLDAP uses his key and is configured to check clients certificates.
winbind on the same computer uses the same key and certificate to
communicate with openLDAP and is configured to check the openLDAP's
certificate.
When running winbind in interactive debug mode everything is running file
and wbinfo -i user is able to allocate an uid to the user. an other try
shows the uid assigned is effectively retrived from openLDAP. The command
line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried
also to run openLDAP in debug mode with the command line slapd -d 1.
the logs produced show that openLDAP and winbind work together with
encryption in both directions.
When I run winbind daemon with the command line service winbind start, the
TLS connection cannot be initiated and I cannot allocate a uid to any user
using wbinfo -i user.
Let's see the configuration files (domain name obsfucated) :
##cn=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65
creatorsName: cn=config
createTimestamp: 20130803105505Z
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key
olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt
olcTLSVerifyClient: demand
entryCSN: 20130803125708.704922Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20130803125708Z
##smb.conf
#======================= Global Settings =======================
[global]
workgroup = DOMAIN
server string = %h server
include = /etc/samba/dhcp.conf
dns proxy = no
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = no
null passwords = no
local master = yes
time server = no
wins support = no
password server = *
realm = DOMAIN.LOCAL
security = ads
allow trusted domains = no
;
; samba 3.5.6 idmap configuration
;
idmap backend = ldap:ldap://omv.domain.local
ldap admin dn = cn=winbind-idmap,dc=domain,dc=local
ldap idmap suffix = ou=Idmap
ldap suffix = dc=domain,dc=local
ldap ssl = start tls
ldap debug level = 4
ldap debug threshold = 1
idmap uid = 16777216-50000000
idmap gid = 16777216-50000000
idmap config * : backend = ldap
idmap config * : ldap_url = ldap://omv.domain.local
idmap config * : ldap_anon = no
idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local
idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
idmap config * : range = 16777216-50000000
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://omv.domain.local
idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local
idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local
winbind use default domain = true
winbind offline logon = false
; disable enum users/groups on medium or large organization (affects
performance)
; if disabled this will disable domain users/groups enumeration with getent
winbind enum users = yes
winbind enum groups = yes
winbind separator = /
winbind nested groups = yes
;winbind normalize names = yes
winbind refresh tickets = yes
;template primary group = users
template shell = /bin/bash
template homedir = /home/%D/%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
client use spnego = yes
#======================= Share Definitions =======================
#======================= Home Directories =======================
[homes]
comment = Home directories
browseable = yes
writable = yes
create mask = 0640
directory mask = 0750
valid users = %S
##/etc/ldap/ldap.conf
URI ldap://omv.domain.local
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT demand
##/root/ldaprc
TLS_CERT /etc/ssl/certs/omv-domain-local.crt
TLS_KEY /etc/ssl/private/omv-domain-local.key
Let me say also that ca-certificates.crt contains the certificate for my
self signed authority.
What am I missing to make it run smootly ?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
