How do you get LDAP with StartTLS working (not LDAPS).
When disabling SSLv3 to protect our LDAP from the POODLE attack, it broke our LDAPS connectivity.
I thought it would be enough to change the Encryption box from SSL to TLS. But apparently this is not referring to TLS, but STARTTLS.
So, we changed it to use port 389 and changed the Encryption box from SSL to TLS and this does just not want to work. StartTLS is definitely enabled and working on the LDAP.
First of all, smb4.conf was generating the incorrect ldapsam line and prefixing it with LDAPS:// :
So I went into /usr/local/libexec/nas/generate_smb4_conf.py and changed it so the line was generated properly. (It seems even though you select STARTTLS, LDAPS will be used...which is not what we want. I think it's a bug.)
So now the SMB4.conf file is being properly generated, things still do not work.
I made sure the hostname is correct, I made sure the port is working with nc, I also reuploaded the certificate but still no luck.
Does anyone have this working using LDAP and StartTLS?
Or even better, does anyone have a fix for getting this to work over LDAPS and TLS instead of SSL?(Not STARTTLS...)
This is from the logs:
When disabling SSLv3 to protect our LDAP from the POODLE attack, it broke our LDAPS connectivity.
I thought it would be enough to change the Encryption box from SSL to TLS. But apparently this is not referring to TLS, but STARTTLS.
So, we changed it to use port 389 and changed the Encryption box from SSL to TLS and this does just not want to work. StartTLS is definitely enabled and working on the LDAP.
First of all, smb4.conf was generating the incorrect ldapsam line and prefixing it with LDAPS:// :
Code:
passdb backend = ldapsam:ldaps://ldap-1.loc:389
So I went into /usr/local/libexec/nas/generate_smb4_conf.py and changed it so the line was generated properly. (It seems even though you select STARTTLS, LDAPS will be used...which is not what we want. I think it's a bug.)
So now the SMB4.conf file is being properly generated, things still do not work.
I made sure the hostname is correct, I made sure the port is working with nc, I also reuploaded the certificate but still no luck.
Does anyone have this working using LDAP and StartTLS?
Or even better, does anyone have a fix for getting this to work over LDAPS and TLS instead of SSL?(Not STARTTLS...)
This is from the logs:
Code:
Nov 13 02:23:06 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc' Nov 13 02:23:06 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/smbpasswd -w 'PASSWORD123!' Nov 13 02:23:06 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmplVQAzm -s /usr/local/etc/smb4.conf -e tdbsam:/var/etc/private/passdb.tdb Nov 13 02:23:23 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/net groupmap list Nov 13 02:23:40 freenas LDAP: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs Nov 13 02:23:42 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc' Nov 13 02:23:42 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/smbpasswd -w 'PASSWORD123!' Nov 13 02:23:42 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmpK3LxiG -s /usr/local/etc/smb4.conf -e tdbsam:/var/etc/private/passdb.tdb Nov 13 02:23:47 freenas sshd[16286]: nss_ldap: could not search LDAP server - Server is unavailable Nov 13 02:23:48 freenas sshd[16286]: nss_ldap: could not search LDAP server - Server is unavailable Nov 13 02:23:53 freenas sshd[16286]: pam_ldap: ldap_starttls_s: Connect error Nov 13 02:23:53 freenas sshd[16286]: pam_ldap: ldap_result Can't contact LDAP server Nov 13 02:23:53 freenas sshd[16286]: pam_ldap: reconnecting to LDAP server... Nov 13 02:23:54 freenas sshd[16286]: pam_ldap: ldap_starttls_s: Connect error Nov 13 02:23:54 freenas sshd[16286]: pam_ldap: ldap_result Can't contact LDAP server Nov 13 02:23:54 freenas sshd[16286]: pam_ldap: reconnecting to LDAP server... Nov 13 02:23:54 freenas sshd[16286]: pam_ldap: ldap_starttls_s: Connect error Nov 13 02:23:54 freenas sshd[16288]: nss_ldap: could not search LDAP server - Server is unavailable Nov 13 02:23:54 freenas sshd[16288]: nss_ldap: could not search LDAP server - Server is unavailable Nov 13 02:23:59 freenas generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/net groupmap list Nov 13 02:24:16 freenas notifier: Can't initialize passdb backend. Nov 13 02:24:16 freenas notifier: Nov 13 02:24:16 freenas notifier: Performing sanity check on Samba configuration: OK Nov 13 02:24:16 freenas notifier: Starting nmbd. Nov 13 02:24:17 freenas nmbd[16319]: [2014/11/13 02:24:17.008718, 0] ../lib/util/become_daemon.c:136(daemon_ready) Nov 13 02:24:17 freenas notifier: Starting smbd. Nov 13 02:24:17 freenas notifier: Starting winbindd. Nov 13 02:24:17 freenas winbindd[16329]: [2014/11/13 02:24:17.184804, 0] ../source3/winbindd/winbindd_cache.c:3196(initialize_winbindd_cache) Nov 13 02:24:17 freenas winbindd[16329]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 Nov 13 02:24:17 freenas winbindd[16329]: [2014/11/13 02:24:17.192616, 0] ../lib/util/become_daemon.c:136(daemon_ready) Nov 13 02:24:17 freenas smbd[16325]: [2014/11/13 02:24:17.256703, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:17 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:17 freenas LDAP: /usr/sbin/service ix-ldap status Nov 13 02:24:17 freenas winbindd[16331]: STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsFailed to issue the StartTLS instruction: Connect error Nov 13 02:24:18 freenas smbd[16325]: [2014/11/13 02:24:18.458542, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:18 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:18 freenas winbindd[16331]: [2014/11/13 02:24:18.558937, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:18 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:19 freenas smbd[16325]: [2014/11/13 02:24:19.660936, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:19 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:19 freenas winbindd[16331]: [2014/11/13 02:24:19.761254, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:19 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:20 freenas smbd[16325]: [2014/11/13 02:24:20.863330, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:20 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:20 freenas winbindd[16331]: [2014/11/13 02:24:20.963642, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:20 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:22 freenas smbd[16325]: [2014/11/13 02:24:22.065592, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:22 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:22 freenas winbindd[16331]: [2014/11/13 02:24:22.166108, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:22 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:23 freenas smbd[16325]: [2014/11/13 02:24:23.267935, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:23 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:23 freenas winbindd[16331]: [2014/11/13 02:24:23.368350, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:23 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:24 freenas smbd[16325]: [2014/11/13 02:24:24.470152, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:24 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:24 freenas winbindd[16331]: [2014/11/13 02:24:24.570437, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:24 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:25 freenas smbd[16325]: [2014/11/13 02:24:25.672330, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:25 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:25 freenas winbindd[16331]: [2014/11/13 02:24:25.772789, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:25 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:26 freenas smbd[16325]: [2014/11/13 02:24:26.874448, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:26 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:26 freenas winbindd[16331]: [2014/11/13 02:24:26.974779, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:26 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:28 freenas smbd[16325]: [2014/11/13 02:24:28.076802, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:28 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:28 freenas winbindd[16331]: [2014/11/13 02:24:28.176997, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:28 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:28 freenas winbindd[16331]: [2014/11/13 02:24:28.176997, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:28 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:29 freenas smbd[16325]: [2014/11/13 02:24:29.279246, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:29 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:29 freenas winbindd[16331]: [2014/11/13 02:24:29.379613, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:29 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:30 freenas smbd[16325]: [2014/11/13 02:24:30.481173, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:30 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:30 freenas winbindd[16331]: [2014/11/13 02:24:30.581434, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:30 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:31 freenas smbd[16325]: [2014/11/13 02:24:31.683243, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:31 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:31 freenas winbindd[16331]: [2014/11/13 02:24:31.783630, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:31 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:32 freenas smbd[16325]: [2014/11/13 02:24:32.885605, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:32 freenas smbd[16325]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:32 freenas winbindd[16331]: [2014/11/13 02:24:32.985916, 0] ../source3/lib/smbldap.c:575(smbldap_start_tls) Nov 13 02:24:32 freenas winbindd[16331]: Failed to issue the StartTLS instruction: Connect error Nov 13 02:24:33 freenas smbd[16325]: [2014/11/13 02:24:33.897901, 0] ../source3/passdb/pdb_ldap.c:6529(pdb_ldapsam_init_common) Nov 13 02:24:33 freenas smbd[16325]: pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. Nov 13 02:24:33 freenas smbd[16325]: [2014/11/13 02:24:33.898054, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Nov 13 02:24:33 freenas smbd[16325]: pdb backend ldapsam:ldap-1.loc:389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) Nov 13 02:24:33 freenas winbindd[16331]: [2014/11/13 02:24:33.987840, 0] ../source3/passdb/pdb_ldap.c:6529(pdb_ldapsam_init_common) Nov 13 02:24:33 freenas winbindd[16331]: pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. Nov 13 02:24:33 freenas winbindd[16331]: [2014/11/13 02:24:33.987989, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Nov 13 02:24:33 freenas winbindd[16331]: pdb backend ldapsam:ldap-1.loc:389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) Nov 13 02:24:33 freenas winbindd[16331]: [2014/11/13 02:24:33.988126, 0] ../source3/lib/util.c:785(smb_panic_s3) Nov 13 02:24:33 freenas winbindd[16331]: PANIC (pid 16331): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap-1.loc:389 Nov 13 02:24:33 freenas winbindd[16331]: Nov 13 02:24:33 freenas winbindd[16331]: [2014/11/13 02:24:33.989193, 0] ../source3/lib/util.c:896(log_stack_trace) Nov 13 02:24:33 freenas winbindd[16331]: BACKTRACE: 20 stack frames: Nov 13 02:24:33 freenas winbindd[16331]: #0 0x80555f292 <smb_panic_s3+108> at /usr/local/lib/libsmbconf.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #1 0x800b5af9a <smb_panic+40> at /usr/local/lib/libsamba-util.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #2 0x802824453 <make_pdb_method_name+1320> at /usr/local/lib/libpdb.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #3 0x802826996 <pdb_capabilities+13> at /usr/local/lib/libpdb.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #4 0x4b24a5 <_lsa_EnumTrustedDomainsEx+22> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #5 0x4bcbd1 <_lsa_LSARADTREPORTSECURITYEVENT+37285> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #6 0x4809c8 <make_internal_rpc_pipe_p+1436> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #7 0x480c53 <make_internal_rpc_pipe_p+2087> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #8 0x8025f488c <dcerpc_binding_handle_raw_call_send+195> at /usr/local/lib/libdcerpc-binding.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #9 0x8025f51a4 <dcerpc_binding_handle_call_send+953> at /usr/local/lib/libdcerpc-binding.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #10 0x8025f55b1 <dcerpc_binding_handle_call+153> at /usr/local/lib/libdcerpc-binding.so.0 Nov 13 02:24:33 freenas winbindd[16331]: #11 0x8020bff3e <dcerpc_lsa_EnumTrustedDomainsEx_r+63> at /usr/local/lib/samba/libdcerpc-samba.so Nov 13 02:24:33 freenas winbindd[16331]: #12 0x8020c036b <dcerpc_lsa_EnumTrustedDomainsEx+119> at /usr/local/lib/samba/libdcerpc-samba.so Nov 13 02:24:33 freenas winbindd[16331]: #13 0x455c09 <rpc_trusted_domains+139> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #14 0x45c6bc <open_internal_samr_conn+2385> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #15 0x4397ba <wcache_lookup_groupmem+3280> at /usr/local/sbin/winbindd Nov 13 02:24:33 freenas winbindd[16331]: #19 0x80742a7d3 <tevent_req_print+3587> at /usr/local/lib/libtevent.so.0 Nov 13 02:24:33 freenas winbindd[16331]: [2014/11/13 02:24:33.989768, 0] ../source3/lib/util.c:797(smb_panic_s3) Nov 13 02:24:34 freenas winbindd[16331]: [2014/11/13 02:24:34.516759, 0] ../source3/lib/util.c:805(smb_panic_s3) Nov 13 02:24:34 freenas winbindd[16331]: smb_panic(): action returned status 0 Nov 13 02:24:34 freenas winbindd[16331]: [2014/11/13 02:24:34.517278, 0] ../source3/lib/dumpcore.c:312(dump_core) Nov 13 02:24:34 freenas winbindd[16331]: unable to change to %N.core Nov 13 02:24:34 freenas winbindd[16331]: refusing to dump core Nov 13 02:24:34 freenas winbindd[16329]: STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsCould not receive trustdoms
