you have two server certificates with almost same name. be carefull about that.
you can inspect details with
certutil -d /etc/dirsrv/slapd-xxx01 -L -n "server-cert"
and
certutil -d /etc/dirsrv/slapd-xxx01 -L -n "Server-cert"
or use it with a simple pipe to check Alt Names:
certutil -d /etc/dirsrv/slapd-xxx01 -L -n "Server-cert" | grep DNS
----- Missatge original -----
[root@xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CTu,u,u
server-cert u,u,u
Server-Cert u,u,u
Thanks Rich….
From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx]
Sent: Wednesday, September 28, 2011 9:24 AM
To: General discussion list for the 389 Directory server project.
Cc: David Hoskinson
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
On 09/28/2011 06:47 AM, David Hoskinson wrote:
I do not have a server.crt.. I created my certs using the following page on the 389 documentation
http://directory.fedoraproject.org/wiki/Howto:SSL
which creates a cert8.db and key3.db
in the past I could do certutil –L something and it would show the cert information but can’t seem to find that command anymore.
certutil -d /etc/dirsrv/slapd-instance -L
I can authenticate from localhost and any of the client machines even the samba server just fine… I just can’t seem to get samba service to connect. If I have setup things incorrectly I appreciate the help.
From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [ mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx ] On Behalf Of Angel Bosch Mora
Sent: Wednesday, September 28, 2011 7:52 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
are you sure your certificate is created with your FQDN in it?
i've had LOT of problems until i've created correctly my certs.
you can check it with
openssl x509 -noout -text -in server.crt
and i recommend that you include your FQDN as Alternative Name even if is your hostname, that trick saved me lot of headaches. i always create my certs with two alternate names, the FQDN itself and also ldap.<mydomain>
this way you don't have any problems with loadbalancing and such.
to create a petition cert with alternate names you can run (one line)
certutil -R -s "CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example" -o example.csr -d . -a -8 myserver.example.com,ldap.example.com
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as "cn=Directory Manager"
[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://”FQDN of server”.stag.cle.us with dn="cn=Directory Manager" Error: Can't contact LDAP server
(unknown)
And yes I can resolve the hostname which I have sanitized.
Thanks for the tip, but that doesn’t seem to help, still have same result. This was just working on another machine but I had to put that one back to the way it was, and must have missed something. Any more thoughts?
From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [ mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx ] On Behalf Of Angel Bosch Mora
Sent: Wednesday, September 28, 2011 3:39 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS
you have to use FQDN when connecting securely. and you have to use the exact name used in the certificate.
I am getting the following message in the /var/log/samba/smbd.log file when I start up samba and try to connect as a user.
[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 15 try!
[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630)
smb_ldap_setup_connection: ldaps://192.168.3.79
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951)
ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as "cn=directory manager,dc=stag,dc=cle,dc=us"
[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldaps://192.168.x.x with dn="cn=directory manager,dc=stag,dc=cle,dc=us" Error: Can't contact LDAP server
(unknown)
Relevant part of the smb.conf
passdb backend = ldapsam: ldaps://192.168.x.x
ldap suffix = dc=stag,dc=cle,dc=us
ldap machine suffix = ou=people
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap passwd sync = yes
ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us
obey pam restrictions = yes
I was able to run smbpasswd –w to add the dn admin password to the secrets.tdb but am unable to add additional users as well, again getting a cannot contact ldap server message. I had this working on another machine, but that machine was needed for another purpose and lost the setup. I know I must be missing something simple and am checking the HOWTO for samba on the 389-Directory Server site.
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson@xxxxxxxxxxxx | www.datatrak.net
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
