On 09/28/2011 06:47 AM, David Hoskinson wrote:
I do not have a server.crt.. I created my certs using the following
page on the 389 documentation
http://directory.fedoraproject.org/wiki/Howto:SSL
which creates a cert8.db and key3.db
in the past I could do certutil –L something and it would show the
cert information but can’t seem to find that command anymore.
certutil -d /etc/dirsrv/slapd-instance -L
I can authenticate from localhost and any of the client machines even
the samba server just fine… I just can’t seem to get samba service to
connect. If I have setup things incorrectly I appreciate the help.
*From:*389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] *On Behalf Of
*Angel Bosch Mora
*Sent:* Wednesday, September 28, 2011 7:52 AM
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Problem with samba and 389 Directory server
with LDAPS
are you sure your certificate is created with your FQDN in it?
i've had LOT of problems until i've created correctly my certs.
you can check it with
openssl x509 -noout -text -in server.crt
and i recommend that you include your FQDN as Alternative Name even if
is your hostname, that trick saved me lot of headaches. i always
create my certs with two alternate names, the FQDN itself and also
ldap.<mydomain>
this way you don't have any problems with loadbalancing and such.
to create a petition cert with alternate names you can run (one line)
certutil -R -s
"CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example"
-o example.csr -d . -a -8 myserver.example.com,ldap.example.com
------------------------------------------------------------------------
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server
ldaps://adm301.stag.cle.us as "cn=Directory Manager"
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://”FQDN of server”.stag.cle.us
with dn="cn=Directory Manager" Error: Can't contact LDAP server
(unknown)
And yes I can resolve the hostname which I have sanitized.
Thanks for the tip, but that doesn’t seem to help, still have same
result. This was just working on another machine but I had to
put that one back to the way it was, and must have missed
something. Any more thoughts?
*From:*389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] *On Behalf Of
*Angel Bosch Mora
*Sent:* Wednesday, September 28, 2011 3:39 AM
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Problem with samba and 389 Directory
server with LDAPS
you have to use FQDN when connecting securely. and you have to use
the exact name used in the certificate.
------------------------------------------------------------------------
I am getting the following message in the
/var/log/samba/smbd.log file when I start up samba and try to
connect as a user.
[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 15 try!
[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630)
smb_ldap_setup_connection: ldaps://192.168.3.79
[2011/09/27 14:23:34, 2]
lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/27 14:23:34, 10]
lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server
ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us"
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://192.168.x.x with
dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't
contact LDAP server
(unknown)
Relevant part of the smb.conf
passdb backend = ldapsam:ldaps://192.168.x.x
ldap suffix = dc=stag,dc=cle,dc=us
ldap machine suffix = ou=people
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us
obey pam restrictions = yes
I was able to run smbpasswd –w to add the dn admin password to
the secrets.tdb but am unable to add additional users as well,
again getting a cannot contact ldap server message. I had
this working on another machine, but that machine was needed
for another purpose and lost the setup. I know I must be
missing something simple and am checking the HOWTO for samba
on the 389-Directory Server site.
David Hoskinson | *DATATRAK*International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskin...@datatrak.net
<mailto:david.hoskin...@datatrak.net> | www.datatrak.net
<http://www.datatrak.net/>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
