Web lists-archives.com

Re: [Samba] TLS ca/cert/key creation




On Thu, 3 Jan 2019 07:13:19 -0800
Gregory Sloop <gregs@xxxxxxxxx> wrote:

> 
> >> The user and group queries, as best I can tell, from the FreeNAS
> >> box are occurring via LDAP. 
> 
> RPvs> No they are not, well not unless freenas is doing something
> RPvs> strange.
> 
> We can argue about the details, but that's not helpful.
> 
> As noted in a separate message;
> --
> So, I've created the certs I need for the DCs and the domain member
> [FreeNAS]. However, I still get errors about needing stronger
> authentication.
> 
> But there's nothing in the logs that might tip me to what's wrong.
> 
> What do I need to do to turn on TLS logging in Samba. 
> [And perhaps authentication logging as well.]
> 
> ---
> I've set logging, as follows;
> log level = 3 winbind:5 kerberos:5
> 
> I don't see any debug/logging channel that handles TLS. And I don't
> see any messages about TLS in the logs.
> 
> I believe I need to examine TLS since when I set "ldap server require
> strong auth = allow_sasl_over_tls" or "ldap server require strong
> auth = yes" user and group queries fail.
> 
> But trying to get the keys/certs/ca right, while being completely
> blind about what's going on, is impossible.
> 
> So, I need to know where I can get the details about TLS negotiation.
> [My experience with troubleshooting TLS isn't good, even with
> messages, but without, you just twiddle knobs and flip switches, just
> *hoping that something* you do makes it, "boom, work.]
> 
> TIA
> -Greg
> 
> 

What I was trying to point out is, Samba does not use LDAP for
authentication, if FreeNAS is using LDAP, then you need to ask them
about it. Find out just where LDAP is being used and how it interacts
with Samba (if indeed it does) and then we may be able to help you.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba