1

I'm currently preparing migration to Samba 4 at my office, and facing issues in my lab network. Installed Samba 4 AD DC on a Debian 9 server, so far it's working properly, could join machines to the domain and access to Samba internal LDAP from external tools using unencrypted ldap://[IP] on port 389.

I'm now trying to configure LDAP access through SSL/TLS following this page instructions:

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Wether i'm using autogenerated self-signed certificates or creating a custom one It always fail at the point of verifying the cert:

openssl verify -verbose cert.pem
[...]
error 18 at 0 depth lookup: self signed certificate
error cert.pem: verification failed

I checked private key:

# openssl rsa -check -in key.pem 
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

I tried to check if private key and cert are corresponding:

# openssl x509 -noout -modulus -in cert.pem | openssl md5
   (stdin)= ce3ca7afcfe6a02ded1ed83938954940
# openssl rsa -noout -modulus -in key.pem | openssl md5
(stdin)= ce3ca7afcfe6a02ded1ed83938954940

Here's global section of my smb.conf file:

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem

I also tried to move the auto-generated files from their original destination

/var/lib/samba/private/tls/

to

/etc/samba/tls/

and

/usr/local/samba/private/tls/

curl commands answers this:

#curl ldaps://host.domain.fr
curl: (60) SSL certificate problem: unable to get local issuer certificate

But I successfully connect with a

# curl --insecure ldaps://host.domain.fr

# curl --cacert /usr/local/samba/private/tls/ca.pem ldaps://host.domain.fr

Well, any advice about configuration or troubleshooting tips is warmly welcome!

Sam C
  • 144
  • 1
  • 7
  • 1
    I am not sure your actual absolute paths are valid : e.g `/tls/cert.pem`. You shoud remove the extra `/` at the beginning : e.g `tls/cert.pem` (for keyfile, certfile, cafile). Then put your cert files in `/usr/local/samba/private/tls/` – krisFR Sep 14 '17 at 10:54
  • You're right. It didn't solve entirely the issue, but progress were made. I edited the post – Sam C Sep 14 '17 at 12:26
  • From what i see it is working now (your very last curl command). You need to import the CA certificate on the client, this is kind of what you do when you specify `--cacert` whitin your last curl command. – krisFR Sep 14 '17 at 13:25

1 Answers1

0

OK, I solved my issue.

Followed this procedure to create self-signed certificate for Samba 4

Go to auto-generated certificate directory, remove existing ones and create your owns into same directory. then restart samba

# cd /usr/local/samba/private/tls ## if you compiled samba from sources
# cd /var/lib/samba/private/tls ## if you installed samba from repos

# rm *.pem
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem

Add this to your /etc/samba/smb.conf

tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   =

Then restart Samba

To make successful ldapsearch command follow this topic advice and add 

TLS_REQCERT ALLOW

to your ldap.conf file.

One thing which kept me in error was that 

openssl verify myCert.pem

will never work on my config (Debian 9.0 "Stretch" - OpenSSL 1.1.0f) I retried my keys under OpenSSL 1.0.2 and worked just fine. I'm not sure if it's caused by os or just openssl version...

Sam C
  • 144
  • 1
  • 7