FreeNAS authentication problem in Samba4

[Daniel Alves BH]

Hi guys,

I know this error is known, but I did not see the solution in other forum posts.

When I am going to authenticate freenas in samba 4.5 it returns me the error below:

Connect error, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)

This is my smb.conf:

[global]
workgroup = LOCAL.DOMAIN
realm = LOCAL.DOMAIN
netbios name = SERVER-DC
server role = active directory domain controller
dns forwarder = 10.10.10.2
dns forwarder = 10.10.10.3
unix charset = iso8859-1
logon script = %U.vbs

tls enabled = yes
tls cafile = /home/Diretorios_Sistema/Certificados/hjxxiii-app_ca_cert.pem
tls certfile = /home/Diretorios_Sistema/Certificados/hjxxiii-app_cert.pem
tls keyfile = /home/Diretorios_Sistema/Certificados/hjxxiii-app_cert_key.pem

I believe the problem might be in importing the certificates (CA and certificate) for samba.
When I export the FreeNas certificates they come in the .crt extension to be installed in browsers and .key with the private key.

So as FreeNAS did not generate the .pem file I saw that while editing the file in Notepad the content was inside the .crt and .key files.

So I put the contents of each other in the following way:

Ca.crt -> ca.pem
Cert.crt -> cert.pem
Cert.key -> cert.pem

I ran the command to test the validation of the connection between FreeNAS and SAMBA4 and it worked, but at the time of authenticating of the error quoted at the beginning of the post.

root@freenas] ~# openssl s_client -connect server-dc:636
CONNECTED(00000004)
depth=0 C = BR, ST = MG, L = BH, O = EMPRESA, CN = freenas.local.domain, emailAddress = ti@empresa.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = BR, ST = MG, L = BH, O = EMPRESA, CN = freenas.local.domain, emailAddress =ti@empresa.com
verify return:1
---
Certificate chain
0 s:/C=BR/ST=MG/L=BH/O=EMPRESA/CN=freenas.local.domain.fhemig/em ailAddress=hps.informatica@fhemig.mg.gov.br
i:/C=BR/ST=MG/L=BH/O=EMPRESA/CN=freenas.local.domain.fhemig/emailAddress=ti@empresa.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID3jCCA.............
......................
......................

-----END CERTIFICATE-----
subject=/C=BR/ST=MG/L=BH/O=EMPRESA/CN=freenas.local.domain.fhemig /emailAddress=hps.informatica@fhemig.mg.gov.br
issuer=/C=BR/ST=MG/L=BH/O=EMPRESA/CN=freenas.local.domain.fhemig/
emailAddress=ti@empresa.com
---
Acceptable client certificate CA names
/C=BR/ST=MG/L=BH/O=EMPRESA/CN=freenas.local.domain/emailAddress=ti@empresa.com
---
SSL handshake has read 2366 bytes and written 645 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 9936A07........
Session-ID-ctx:
Master-Key: 9180423......
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1481720124
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

Thank you very much for helping me!!!

 

[dlavigne]

Were you able to figure out how to resolve this?

 

[Daniel Alves BH]

Were you able to figure out how to resolve this?

I still have not been able to make it work.

Do you can help me?

 

[Daniel Alves BH]

I managed to solve it and make it work !!!! :D

I disabled strong authentication and TLS through smb.conf in samba 4.5.2.

Just put the parameters below and restart samba, so you do not have to use certificates to join FreeNas in Active Directory.

#ldap server require strong auth
ldap server require strong auth = no

#TLS verify peer
tls verify peer = no_check

More info in https://wiki.samba.org/index.php/Samba_4.2_Features_added/changed

Bye!!