Debian – SSL self-signed certificate error on Samba 4

debiansambasamba4sslssl-certificate

I'm currently preparing migration to Samba 4 at my office, and facing issues in my lab network.
Installed Samba 4 AD DC on a Debian 9 server, so far it's working properly, could join machines to the domain and access to Samba internal LDAP from external tools using unencrypted ldap://[IP] on port 389.

I'm now trying to configure LDAP access through SSL/TLS following this page instructions:

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

Wether i'm using autogenerated self-signed certificates or creating a custom one It always fail at the point of verifying the cert:

openssl verify -verbose cert.pem
[...]
error 18 at 0 depth lookup: self signed certificate
error cert.pem: verification failed

I checked private key:

# openssl rsa -check -in key.pem 
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

I tried to check if private key and cert are corresponding:

# openssl x509 -noout -modulus -in cert.pem | openssl md5
   (stdin)= ce3ca7afcfe6a02ded1ed83938954940
# openssl rsa -noout -modulus -in key.pem | openssl md5
(stdin)= ce3ca7afcfe6a02ded1ed83938954940

Here's global section of my smb.conf file:

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem

I also tried to move the auto-generated files from their original destination

/var/lib/samba/private/tls/

/etc/samba/tls/

and

/usr/local/samba/private/tls/

curl commands answers this:

#curl ldaps://host.domain.fr
curl: (60) SSL certificate problem: unable to get local issuer certificate

But I successfully connect with a

# curl --insecure ldaps://host.domain.fr

# curl --cacert /usr/local/samba/private/tls/ca.pem ldaps://host.domain.fr

Well, any advice about configuration or troubleshooting tips is warmly welcome!

Best Answer

OK, I solved my issue.

Followed this procedure to create self-signed certificate for Samba 4

Go to auto-generated certificate directory, remove existing ones and create your owns into same directory. then restart samba

# cd /usr/local/samba/private/tls ## if you compiled samba from sources
# cd /var/lib/samba/private/tls ## if you installed samba from repos

# rm *.pem
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem

Add this to your /etc/samba/smb.conf

tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   =

Then restart Samba

To make successful ldapsearch command follow this topic advice and add

TLS_REQCERT ALLOW

to your ldap.conf file.

One thing which kept me in error was that

openssl verify myCert.pem

will never work on my config (Debian 9.0 "Stretch" - OpenSSL 1.1.0f) I retried my keys under OpenSSL 1.0.2 and worked just fine. I'm not sure if it's caused by os or just openssl version...

Best Answer

Related Solutions

Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning

Ssl – Openssl error 19: “Self signed certificate in certificate chain” when keyed by GoDaddy

Related Topic