IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-10-24 20:19:38
Channels: 41
Logged Lines: 6230436
Size: 1822.50 MB
Powered by
Channel Info
Network: freenodeChannel: #samba |
Search in www.irclog.org
Log from #samba at freenode 2006-06-22
[00:23]<gydjgj>hi all, got a question, what port does samba use to do bdc -> pdc comms? (and protocols)
[00:26]<wyfaj>W/3.0.2x, security = domain, should I be able to have local accounts that are authenticated through smbpasswd-style and not the DC?
[00:58]<||aw>wilco: probably not
[00:58]<sdzpppzyns6wo>Anyone using ldap/samba/tls setup
[00:59]<sdzpppzyns6wo>TLS trace: SSL3 alert read:fatal:unknown CA
[00:59]<sdzpppzyns6wo> -ouch
[01:17]<wyfaj>smallfries718: Not sure about Samba per se, but if it's built with the OpenLDAP client libraries, you can put 'TSL_REQCERT allow' in /etc/openldap/ldap.conf
[01:17]<wyfaj>Is this a self-signed certificate?
[01:17]<sdzpppzyns6wo>that's what I would like it to be
[01:17]<wyfaj>You can also use TLS_CACERTDIR and put the cert files there
[01:18]<sdzpppzyns6wo>that's in the slapd.conf
[01:18]<sdzpppzyns6wo>?
[01:19]<wyfaj>No, that's /etc/openldap/ldap.conf
[01:19]<sdzpppzyns6wo>I have samba working on another server
[01:19]<sdzpppzyns6wo>the certs expired today
[01:19]<wyfaj>Oops
[01:19]<sdzpppzyns6wo>so the whole ldap auth stopped working.
[01:19]<sdzpppzyns6wo>so there is not access to the samba shares
[01:20]<sdzpppzyns6wo>sldap has the following
[01:20]<sdzpppzyns6wo>TLSCertificateFile /usr/share/ssl/certs/servercrt.pem
[01:20]<sdzpppzyns6wo>TLSCertificateKeyFile /usr/share/ssl/certs/serverkey.pem
[01:20]<sdzpppzyns6wo>TLSCACertificateFile /usr/share/ssl/certs/cacert.pem
[01:21]<wyfaj>So generate a new cert and put it in place
[01:21]<sdzpppzyns6wo>I been try this all day
[01:21]<wyfaj>This time, make it good for 3650 days :)
[01:21]<sdzpppzyns6wo>word
[01:21]<wyfaj>Trying what?
[01:21]<sdzpppzyns6wo>create a working set of cert / CA
[01:22]<wyfaj>http://nakedape.cc/wiki/ApplicationNotes_2fSslNotes
[01:22]<sdzpppzyns6wo>I've reading where it says that the CN has to be the exact as the FQDN of the ldap server
[01:22]<wyfaj>Self-signed cert not working or you don't know how to generate one?
[01:23]<sdzpppzyns6wo>I can generate it
[01:23]<wyfaj>Yes, the CN should be the host name you use to access the LDAP server, but not necessarily `hostname -f`
[01:23]<sdzpppzyns6wo>what I did was
[01:24]<wyfaj>For example, if you hostname was foofoo.example.com, but you used a DNS CNAME ldap1.example.com and used that in your config files, then make ldap1.example.com the CN
[01:25]<sdzpppzyns6wo>the samba host connects to secure.example.com
[01:25]<sdzpppzyns6wo>which is the ldap server
[01:25]<sdzpppzyns6wo>which is also the same as hostname -f
[01:25]<sdzpppzyns6wo>and is also the dns name
[01:25]<sdzpppzyns6wo>so I have been putting that as the CN
[01:25]<wyfaj>Okay
[01:26]<wyfaj>That sounds right
[01:26]<sdzpppzyns6wo>but I verified one of the expired certs
[01:26]<sdzpppzyns6wo>and it has localhost.localdomain for the CN variable.
[01:26]<wyfaj>Ah, well, maybe Samba's ignoring it--client apps, like web browsers, use the CN to verify that the cert belongs to the site going to it
[01:28]<sdzpppzyns6wo>let me walk through your link, I've been doing this all day
[01:28]<sdzpppzyns6wo>maybe the wrong way over and over
[01:28]<sdzpppzyns6wo>I have gotten the error Expecting Trusted Certificate
[01:30]<wyfaj>You don't need the TLSCACertificateFile if you're using self-signed certs and you can put the key and cert in the same file, if they're PEM-encoded
[01:30]<wyfaj>http://nakedape.cc/wiki/ApplicationNotes_2fLdapNotes
[01:30]<wyfaj>There's a note about the TLS error there (should have it on my SSL page too :)
[01:31]<sdzpppzyns6wo>DirName:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
[01:47]<sdzpppzyns6wo>still there?
[02:01]<wyfaj>Yeah
[02:03]<cfg2yrg>good night (here)
[02:03]<cfg2yrg>i am installing samba 3.0.22 on Solaris 9
[02:03]<cfg2yrg>anyone has make it?
[02:04]<cfg2yrg>i need to compite a module pam_mkhomedir.so because Solaris not provide them
[02:07]<wyfaj>Have you looked at the CSW/Blastwave packages? When I used Solaris, their packages were pretty good
[02:08]<sdzpppzyns6wo>so on a openldap install
[02:08]<sdzpppzyns6wo>it has both /etc/ldap.conf and /etc/openldap/ldap.conf and even /etc/openldap/slapd.conf
[02:08]<cfg2yrg>no. i dont install ldap, i am using the samba in mode DOMAIN
[02:08]<wyfaj>All three are different
[02:09]<wyfaj>/etc/ldap.conf is used by nss/pam_ldap
[02:09]<wyfaj>/etc/openldap/ldap.conf are *client* settings
[02:09]<cfg2yrg>i can auth normally
[02:09]<wyfaj>/etc/openldap/slapd.conf are LDAP server settings
[02:09]<wyfaj>Your Samba is a cliet
[02:09]<wyfaj>client
[02:10]<cfg2yrg>the problem is: the home dir is not created when the user logon the first time
[02:10]<cfg2yrg>yes. is a client
[02:10]<sdzpppzyns6wo>right located on a different server
[02:10]<wyfaj>klebian: This is about smallfries718's problem
[02:11]<cfg2yrg>what is smallfries?
[02:12]<wyfaj>Er, you don't see his messages?
[02:12]<sdzpppzyns6wo>its before the combo fries
[02:12]<sdzpppzyns6wo><--- that be me , breaking ldap
[02:12]<cfg2yrg>excuse me
[02:13]<sdzpppzyns6wo>sorry about that
[02:13]<sdzpppzyns6wo>wilco, I'm starting ldap via /etc/rc.d/init.d script
[02:13]<cfg2yrg>smallfires718 is your nickname
[02:13]<sdzpppzyns6wo>it doesn't do much for debugging
[02:13]<sdzpppzyns6wo>it simply fails
[02:14]<wyfaj>Exactly what's not working currently, smallfries718 ?
[02:14]<sdzpppzyns6wo>Starting slapd: [FAILED]
[02:17]<cfg2yrg>i think a backbone has down
[02:17]<cfg2yrg>25 clients are disconnected on the same minute!
[02:18]<cfg2yrg>or the same second
[02:18]<cfg2yrg>anyone has problem with the module pam_mkhomedir.so on Solaris 9?
[02:20]<afyn2jw__> smallfries718: can you enable more debugging with local4.debug /var/log/ldap
[02:20]<afyn2jw__>placed in syslog.conf
[02:22]<sdzpppzyns6wo>with the -Z option I am getting
[02:22]<sdzpppzyns6wo>additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[02:22]<sdzpppzyns6wo>with the -x option it seems to be able to query without issue
[02:24]<sdzpppzyns6wo>how do I turn off cert verification ?
