I'm currently preparing migration to Samba 4 at my office, and facing issues in my lab network.
Installed Samba 4 AD DC on a Debian 9 server, so far it's working properly, could join machines to the domain and access to Samba internal LDAP from external tools using unencrypted ldap://[IP] on port 389.
I'm now trying to configure LDAP access through SSL/TLS following this page instructions:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Wether i'm using autogenerated self-signed certificates or creating a custom one It always fail at the point of verifying the cert:
openssl verify -verbose cert.pem
[...]
error 18 at 0 depth lookup: self signed certificate
error cert.pem: verification failed
I checked private key:
# openssl rsa -check -in key.pem
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
I tried to check if private key and cert are corresponding:
# openssl x509 -noout -modulus -in cert.pem | openssl md5
(stdin)= ce3ca7afcfe6a02ded1ed83938954940
# openssl rsa -noout -modulus -in key.pem | openssl md5
(stdin)= ce3ca7afcfe6a02ded1ed83938954940
Here's global section of my smb.conf file:
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
I also tried to move the auto-generated files from their original destination
/var/lib/samba/private/tls/
to
/etc/samba/tls/
and
/usr/local/samba/private/tls/
curl commands answers this:
#curl ldaps://host.domain.fr
curl: (60) SSL certificate problem: unable to get local issuer certificate
But I successfully connect with a
# curl --insecure ldaps://host.domain.fr
# curl --cacert /usr/local/samba/private/tls/ca.pem ldaps://host.domain.fr
Well, any advice about configuration or troubleshooting tips is warmly welcome!
Best Answer
OK, I solved my issue.
Followed this procedure to create self-signed certificate for Samba 4
Go to auto-generated certificate directory, remove existing ones and create your owns into same directory. then restart samba
Add this to your /etc/samba/smb.conf
Then restart Samba
To make successful ldapsearch command follow this topic advice and add
to your ldap.conf file.
One thing which kept me in error was that
will never work on my config (Debian 9.0 "Stretch" - OpenSSL 1.1.0f) I retried my keys under OpenSSL 1.0.2 and worked just fine. I'm not sure if it's caused by os or just openssl version...