[Samba] Fwd: TLS between winbind and openldap
Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config
Re: [Samba] TLS between winbind and openldap
slap_listener_activate(7): slap_listener(ldap:///) connection_get(13): got connid=1048 connection_read(13): checking for input on id=1048 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1375858194 ber_get_next conn=1048 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 13 connection_get(13): got connid=1048 connection_read(13): checking for input on id=1048 connection_get(13): got connid=1048 connection_read(13): checking for input on id=1048 TLS: can't accept: The peer did not send any certificate.. connection_read(13): TLS accept failure error=-1 id=1048, closing connection_close: conn=1048 sd=13e If OpenLDAP refuses to talk to winbind without a valid certificate, this is the behavior I want. Why winbind does not send his certificate when run the normal way ?? Le 6 août 2013 21:51, Gaiseric Vandal gaiseric.van...@gmail.com a écrit : Did you try using LDAPS (ldap over SSL, typically on port 636.) I can't speak specifically about it with winbind BUT I have found that in other situations LDAPS creates less headaches with CA cert issues. at On 08/06/13 05:27, thierry DeTheGeek wrote: Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/**omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/**omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-**9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-**certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-**local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-**local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#**000#00 modifiersName: gidNumber=0+uidNumber=0,cn=**peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam
Re: [Samba] TLS between winbind and openldap
Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config * : range
[Samba] TLS between winbind and openldap
Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap config * : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap config * : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local idmap config * : range = 16777216-5000 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://omv.domain.local idmap alloc config : ldap_base_dn = ou=Idmap,dc=domain,dc=local idmap alloc config : ldap_user_dn = cn=winbind-idmap,dc=domain,dc=local winbind use default domain = true winbind offline logon = false ; disable enum users/groups on medium or large organization (affects performance) ; if disabled this will disable domain users/groups enumeration with getent winbind enum users = yes winbind enum groups = yes winbind separator = / winbind nested groups = yes ;winbind normalize names = yes winbind refresh tickets = yes ;template primary group = users template shell = /bin/bash template homedir = /home/%D/%U socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes client use spnego = yes #=== Share Definitions === #=== Home