Bug #1579209 “Samba and LDAP is completely out of date” : Bugs : Ubuntu Server Guide

Revision history for this message

Doug Smythies (dsmythies) wrote on 2016-05-07:

#1

Thanks for your bug report. Yes, we know there are issues, and have been trying to get them fixed.
Have a look at a pending Merge Proposal, and see if it addresses all the issues you found.

https://code.launchpad.net/~nacc/serverguide/samba/+merge/293442

Changed in serverguide:
status:	New → Confirmed

Revision history for this message

Samuel Abels (knipknap) wrote on 2016-05-07:

#2

Thanks for the info! Following the instructions with the updated docs works until the step where indices are added. Creating the indices fails on my machine:

    $ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
    modifying entry "olcDatabase={1}hdb,cn=config"
    ldap_modify: No such object (32)
            matched DN: cn=config

I am guessing "hdb" needs to be changed to whatever your database is. In my case, I just used the Ubuntu defaults from 16.04 installation, resulting in the following dn:

$ sudo ls /etc/ldap/slapd.d/cn\=config | grep Database= | grep db.ldif
olcDatabase={1}mdb.ldif

However, after changing the first line in samba_indices.ldif to:

dn: olcDatabase={1}mdb,cn=config

there are still errors:

    $ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
    modifying entry "olcDatabase={1}mdb,cn=config"
    ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: duplicate index definition for attr "uidNumber"

Revision history for this message

Samuel Abels (knipknap) wrote on 2016-05-07:

#3

Some more info on the attributes that are causing the conflict:

$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex
dn: olcDatabase={1}mdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq

Revision history for this message

Samuel Abels (knipknap) wrote on 2016-05-07:

#4

The merge also does not address the problem that the smbldap-config.pl isn't there.

Revision history for this message

Nish Aravamudan (nacc) wrote on 2016-05-10:

#5

FWIW, upstream Samba has fixed the lack of smbldap-config.pl in the source (it was a Makefile error?) I will see if I can backport the fix.

Revision history for this message

Nish Aravamudan (nacc) wrote on 2016-05-21:

#6

FWIW, I've provided an patch for the 16.10 version of smbldap-tools in Bug: #997172. Once that's there, we can SRU the same fix back to the older versions, esp. 14.04 and 16.04, at which point we'll update the documentation to not refer to said bug (as the tool should exist again), and hopefully, Samuel you can retest then.

Revision history for this message

Nish Aravamudan (nacc) wrote on 2016-06-17:

#7

@Samuel, the smbldap-tools change has landed in trusty-proposed, if you could test it, that'd be great!

Revision history for this message

Heidou (heidou) wrote on 2016-12-20:

#8

Download full text (13.9 KiB)

Hello,

I spent almost 3 weeks banging my head making OpenLDAP + TLS + Samba to work. Thought I might share my experience could help someone out there.

I started having no knowledge about LDAP, followed 'OpenLDAP Server' (https://help.ubuntu.com/lts/serverguide/openldap-server.html) and 'Samba and LDAP' (https://help.ubuntu.com/lts/serverguide/samba-ldap.html) server guide pages, I failed many, many times.

I am going to list modification/enhancement points I believe it would be better/nice to have on those two guides.

1. OpenLDAP Server (https://help.ubuntu.com/lts/serverguide/openldap-server.html) Guide

1-1. I think it would be nice to have brief description of ldap URL scheme somewhere before installation section. Since confusing them could end up wasting days like me :(
Something like:
There are three URL scheme used for LDAP. 'ldap://', 'ldapi://' and 'ldaps://'.
- 'ldap://' instructs to use TCP/IP connection and most commonly used. Port 389 will be used, unless you specify it in URL in 'ldap://hostname:port/' form.
- 'ldapi://' is to use UNIX domain socket, typically used in 'ldapi:///' form to indicate to connect to default server. This can be used only when you run clients on the same machine slapd is running. If you want to use it with TLS, there are some restrictions apply (see the last note on 1-4).
- 'ldaps://' was used to establish TLS connection using port 636. The new way of TLS enabled LDAP is to use standard 'ldap://' scheme and port 389. Using of 'ldaps://' is discouraged.

1-2. I followed sections 'Installation', 'Post-install Inspection', 'Modifying/Populating your Database', 'Logging', 'TLS' and 'LDAP Authentication' only. But anywhere it refers 'hdb' in command or output, it should be replaced with 'mdb' since mdb is the default database slapd uses in current version.

1-3. In 'TLS' section, following instructions in that order end up having an error at 'ldapmodify' command, since at that time slapd does not have read permission on private key file. Correct order would be:

Tighten up (or loosen down?) ownership and permissions:

  sudo adduser openldap ssl-cert
  sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
  sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
  sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

Restart OpenLDAP:

sudo systemctl restart slapd.service

Create the file certinfo.ldif with the following contents [[(adjust accordingly, our example assumes we created certs using https://www.cacert.org) I think we created cacert.pem in instructions right above. This note may not be precise? ]]:

  dn: cn=config
  add: olcTLSCACertificateFile
  olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
  -
  add: olcTLSCertificateFile
  olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
  -
  add: olcTLSCertificateKeyFile
  olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database: [[ modified '/etc/ssl/certinfo.ldif' to 'certinfo.ldif' ]]

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

1-4. Again, in 'TLS' section, t...

Hello,

I spent almost 3 weeks banging my head making OpenLDAP + TLS + Samba to work. Thought I might share my experience could help someone out there.

I started having no knowledge about LDAP, followed 'OpenLDAP Server' (https://help.ubuntu.com/lts/serverguide/openldap-server.html) and 'Samba and LDAP' (https://help.ubuntu.com/lts/serverguide/samba-ldap.html) server guide pages, I failed many, many times.

I am going to list modification/enhancement points I believe it would be better/nice to have on those two guides.

1. OpenLDAP Server (https://help.ubuntu.com/lts/serverguide/openldap-server.html) Guide

1-1.  I think it would be nice to have brief description of ldap URL scheme somewhere before installation section. Since confusing them could end up wasting days like me :(
Something like:
	There are three URL scheme used for LDAP.  'ldap://', 'ldapi://' and 'ldaps://'.
	- 'ldap://' instructs to use TCP/IP connection and most commonly used. Port 389 will be used, unless you specify it in URL in 'ldap://hostname:port/' form.
	- 'ldapi://' is to use UNIX domain socket, typically used in 'ldapi:///' form to indicate to connect to default server. This can be used only when you run clients on the same machine slapd is running. If you want to use it with TLS, there are some restrictions apply (see the last note on 1-4).
	- 'ldaps://' was used to establish TLS connection using port 636. The new way of TLS enabled LDAP is to use standard 'ldap://' scheme and port 389. Using of 'ldaps://' is discouraged.

1-2.  I followed sections 'Installation', 'Post-install Inspection', 'Modifying/Populating your Database', 'Logging', 'TLS' and 'LDAP Authentication' only.  But anywhere it refers 'hdb' in command or output, it should be replaced with 'mdb' since mdb is the default database slapd uses in current version.

1-3.  In 'TLS' section, following instructions in that order end up having an error at 'ldapmodify' command, since at that time slapd does not have read permission on private key file. Correct order would be:

Tighten up (or loosen down?) ownership and permissions:

sudo adduser openldap ssl-cert
		sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
		sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
		sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

Restart OpenLDAP:

sudo systemctl restart slapd.service

Create the file certinfo.ldif with the following contents [[(adjust accordingly, our example assumes we created certs using https://www.cacert.org) I think we created cacert.pem in instructions right above. This note may not be precise? ]]:

dn: cn=config
		add: olcTLSCACertificateFile
		olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
		-
		add: olcTLSCertificateFile
		olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
		-
		add: olcTLSCertificateKeyFile
		olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database: [[ modified '/etc/ssl/certinfo.ldif' to 'certinfo.ldif' ]]

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

1-4.  Again, in 'TLS' section, the guide illustrates how to configure slapd, but there's no instructions how ldap client programs communicate to slapd over TLS. It may not be necessary, but it can be an easy way to confirm slapd was configured to use TLS correctly.

Edit a line in /etc/ldap/ldap.conf. (GnuTLS needs it?)

TLS_CACERT	/etc/ssl/certs/cacert.pem

Confirm 'ldapsearch' command runs without error with '-ZZ' option.

$ ldapsearch -x -LLL -ZZ -H ldap://ldap01.example.com -b dc=example,dc=com 'uid=john' cn gidNumber
		dn: uid=john,ou=People,dc=example,dc=com
		cn: John Doe
		gidNumber: 5000

As long as you use 'ldapsearch' on the same machine slapd is running, you could run it with '-H ladpi:///' or without '-H' option, but the machine have to identify itself as same name as 'cn' field in the LDAP certificate ('ldap01.example.com'). You may have to either configure your machine so that 'hostname' command returns 'ldap01.example.com', or keep "127.0.1.1 ldap01.example.com ldap01" line in your /etc/hosts, to achieve it.

1-5.  'LDAP Authentication' section. Correct me if I'm wrong, but I believe following those instructions only allow non-encrypted connections between client and server. To make them use TLS, another few steps would be needed.

To enable TLS on libnss_ldap:

- Make sure the client machine has the CA certificate that the LDAP certificate has signed upon. In case you followed 'TLS' section above, it is /etc/ssl/certs/cacert.pem. If you don't have it, copy it from server machine, place it as /etc/ssl/certs/cacert.pem, owned by root:root, permission 0644.

- Make modification in /etc/ldap.conf. First of all, the hostname in 'uri' line will be used to match against 'cn (common name)' field in the LDAP certificate. It must be the same. In case of this example, it shall be:

uri ldap://ldap01.example.com/

In case of authentication on slapd running machine itself, you could use 'uri ldapi:///', but your machine have to identify itself as same name as LDAP certificate cn field. See the last note on 1-4.

Then add a line:

ssl start_tls

You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).

Not to be confused, /etc/ldap.conf is a file consulted by libnss_ldap routines (man 5 nss_ldap), where /etc/ldap/ldap.conf is part of the OpenLDAP and consulted by some utility client programs like 'ldapsearch' (man 5 ldap.conf).

2. Samba and LDAP (https://help.ubuntu.com/lts/serverguide/samba-ldap.html) Guide

2-1. Following 'Samba indices' instructions ends up with error at 'ldapmodify' command, as Samuel described above. This is because latest version of slapd package is shipped to have some indices already. In my case those were same as Samuel's description:

$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex
	dn: olcDatabase={1}mdb,cn=config
	olcDbIndex: objectClass eq
	olcDbIndex: cn,uid eq
	olcDbIndex: uidNumber,gidNumber eq
	olcDbIndex: member,memberUid eq

I believe we have to merge these indices with those Samba needed. Thus the samba_indices.ldif file contents should be something like:

dn: olcDatabase={1}mdb,cn=config
	changetype: modify
	replace: olcDbIndex
	olcDbIndex: objectClass eq
	olcDbIndex: cn eq
	olcDbIndex: uid eq,pres,sub
	olcDbIndex: uidNumber,gidNumber eq
	olcDbIndex: member eq
	olcDbIndex: memberUid eq,pres,sub
	olcDbIndex: loginShell eq
	olcDbIndex: uniqueMember eq,pres
	olcDbIndex: sambaSID eq
	olcDbIndex: sambaPrimaryGroupSID eq
	olcDbIndex: sambaGroupType eq
	olcDbIndex: sambaSIDList eq
	olcDbIndex: sambaDomainName eq
	olcDbIndex: default sub

Update indices with the same command:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

But to examine, command would be ('mdb' instead of 'hdb'):

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex

2-2. 'Adding Samba LDAP objects'. I think it would be nice to have 'smbldap-config' example in this section, since it is a bit tricky. By the way, smbldap-config.pl is now smbldap-config (/usr/sbin/smbldap-config). Here, my keystroke is bracketed by '[[...]]', and '#...' is my comment.

$ sudo smbldap-config
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
		   smbldap-tools script configuration
		   -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	Before starting, check
	 . if your samba controller is up and running.
	 . if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Ctrl-c key combination
	 . empty value can be set with the "." character
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] > [[<Enter>]]

The default directory in which the smbldap configuration files are stored is shown.
	If you need to change this, enter the full directory path, then press enter to continue.
	Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] > [[<Enter>]]
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
	  workgroup name [WORKGROUP] > [[<Enter>]]	# Configure any Samba parameters to fit yours.
	. netbios name: netbios name of the samba controller
	  netbios name [] > [[<Enter>]]
	. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
	  logon drive [] > [[<Enter>]]
	. logon home: home directory location (for Win95/98 or NT Workstation).
	  (use %U as username) Ex:'\\\%U'
	  logon home (press the "." character if you don't want homeDirectory) [\\\%U] > [[.]]
	. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
	  logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] > [[.]]
	. home directory prefix (use %U as username) [/home/%U] > [[<Enter>]]
	. default users' homeDirectory mode [700] > [[<Enter>]]
	. default user netlogon script (use %U as username) [] > [[<Enter>]]
	  default password validation time (time in days) [45] > [[<Enter>]]
	. ldap suffix [] > [[dc=example,dc=com]]
	. ldap group suffix [] > [[ou=Groups]]
	. ldap user suffix [] > [[ou=People]]
	. ldap machine suffix [] > [[ou=Computers]]
	. Idmap suffix [ou=Idmap] > [[<Enter>]]
	. sambaUnixIdPooldn: object where you want to store the next uidNumber
	  and gidNumber available for new users and groups
	  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=WORKGROUP] > [[<Enter>]]
	. ldap master server: IP address or DNS name of the master (writable) ldap server
	  ldap master server [127.0.0.1] > [[ldap01.example.com]]	# If you don't use TLS, you may just press enter.
	. ldap master port [389] > [[<Enter>]]
	. ldap master bind dn [] > [[cn=admin,dc=example,dc=com]]
	. ldap master bind password [] > [[<Password>]]
	. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
	  ldap slave server [127.0.0.1] > [[ldap01.example.com]]	# If you don't have slave server, make it same as master.
	. ldap slave port [389] > [[<Enter>]]
	. ldap slave bind dn [] > [[cn=admin,dc=example,dc=com]]
	. ldap slave bind password [] > [[<Password>]]
	. ldap tls support (1/0) [0] > [[1]]	# If you don't use TLS, enter '0'. You won't be asked next 4 questions.
	. How to verify the server's certificate (none, optional or require) [require] > [[<Enter>]]
	. CA certificate file [/etc/smbldap-tools/ca.pem] > [[/etc/ssl/certs/cacert.pem]]
	. certificate to use to connect to the ldap server [/etc/smbldap-tools/smbldap-tools.pem] > [[.]]	# We don't use client authentication, just zap it.
	. key certificate to use to connect to the ldap server [/etc/smbldap-tools/smbldap-tools.key] > [[.]]	# Ditto.
	. SID for domain WORKGROUP: SID of the domain (can be obtained with 'net getlocalsid ')
	  SID for domain WORKGROUP [S-1-5-21-1368871063-451239926-1424446152] > [[<Enter>]]	# Your number may vary. Just enter, or you could zap it.
	. unix password encryption: encryption used for unix passwords
	  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > [[<Enter>]]
	. default user gidNumber [513] > [[<Enter>]]
	. default computer gidNumber [515] > [[<Enter>]]
	. default login shell [/bin/bash] > [[<Enter>]]
	. default skeleton directory [/etc/skel] > [[<Enter>]]
	. default domain name to append to mail address [] > [[<Enter>]]
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	backup old configuration files:
	  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
	  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
	writing new configuration file:
	  /etc/smbldap-tools/smbldap.conf done.
	  /etc/smbldap-tools/smbldap_bind.conf done.
	$

2-3.  In 'Samba Configuration', restarting Samba right after we made modification to /etc/samba/smb.conf will fail, since Samba needs LDAP rootDN password to restart, which we will provide in next instruction. Correct order would be:

Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):

sudo smbpasswd -w password	[[ or 'sudo smbpasswd -W' and enter password from keyboard ]]

Restart samba to enable the new settings:

sudo systemctl restart smbd.service nmbd.service

2-4.  Again in 'Samba Configuration', when you use TLS, the 'hostname' in the line 'passdb backend = ldapsam:ldap://hostname/' in /etc/samba/smb.conf file have to be the same name you used in 'cn' in the LDAP certification. If you are running smbd on the same machine slapd is running, you could use 'ldapi:///', but same restrictions apply. See the last note on 1-4.

2-5.  Fainal note on 'Samba Configuration'.  If you don't use TLS, 'ldap ssl' line in /etc/samba/smb.conf should be 'ldap ssl = no'.

My personal opinion. Since this procedure could fail in so many ways, I would strongly suggest you configure Samba without TLS first ('ldap tls support = 0' in smbldap-config, 'ldap ssl = no' in smb.conf), then enable it after ('ldap ssl = start tls' in smb.conf, 'ldapTLS="1", verify="require", cafile="/etc/ssl/certs/cacert.pem"' in /etc/smbldap-tools/smbldap.conf).  It is MUCH easier.

This report has been confirmed on following versions of packages.

uname: 4.4.0-53-generic #74-Ubuntu SMP Fri Dec 2 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Package: slapd
Version: 2.4.42+dfsg-2ubuntu3.1

Package: ldap-utils
Version: 2.4.42+dfsg-2ubuntu3.1

Package: gnutls-bin
Version: 3.4.10-4ubuntu1.1

Package: ssl-cert
Version: 1.0.37

Package: samba
Version: 2:4.3.11+dfsg-0ubuntu0.16.04.1

Package: smbldap-tools
Version: 0.9.9-1ubuntu1.16.04.2

I am no experts on any of those software. Correct me whatever you feel necessary!
Hope this helps someone like me use those packages without much hustle.

Chao!

Revision history for this message

Heidou (heidou) wrote on 2016-12-20:

#9

Hello again,

I made a mistake on above post. In 1-5, about 'LDAP Authentication' describing /etc/ldap.conf modification, I wrote:

> You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).

Turned out you actually NEED 'tls_cacertfile' line. So you have to add 2 lines in /etc/ldap.conf to use TLS enabled libnss_ldap.

ssl start_tls
tls_cacertfile /etc/ssl/certs/cacert.pem

Sorry about the mess.

Revision history for this message

Heidou (heidou) wrote on 2016-12-20:

#10

So, I just found about the update-ca-certificates command and /usr/share/ca-certificates folder.
The reason libnss_ldap didn't find CA certificate might be I didn't follow standard procedures.
(Fanny thing on slapd server machine, it found it without tls_cacertfile line, but on client machine it didn't.)

I think I have to rewrite 1-5 altogether.

Revision history for this message

Heidou (heidou) wrote on 2016-12-21:

#11

Mystery solved.

In 1-5, I wrote:

> You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).

That's a lie. I leaned, for a CA certificate file to be automatically found, not only it must reside in standard folder, but it also has to be named based on it's hash value.
Our CA certificate file name is not. Nobody can find it, unless we tell them where it is, in one way or another.

These are the software we used and how they find where CA certificate is.

OpenLDAP utility client (ldapsearch, ldapmodify, ...)
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf

libnss_ldap
  -> 'tls_cacertfile' line in /etc/ldap.conf
    -> libldap
      -> 'TLS_CACERT' line in /etc/ldap/ldap.conf

smbd
-> libldap
-> 'TLS_CACERT' line in /etc/ldap/ldap.conf

smbldap-tools
-> 'cafile' line in /etc/smbldap-tools/smbldap.conf
-> Net::LDAP

Server machine I configured did not need 'tls_cacertfile' line in /etc/ldap.conf, because I had 'TLS_CACERT' line in /etc/ldap/ldap.conf. But, on a client machine I didn't, libnss_ldap could not find CA certificate until I put 'tls_cacertfile' line in /etc/ldap.conf.

Apparently, one way (probably a better way) to do this is to use 'update-ca-certificates' command and have hash-based CA certificate file name under /etc/ssl/certs/. But I feel describing all that may go beyond our purpose of simple OpenLDAP + TLS configuration.

So I'm going to stick with '/etc/ssl/certs/cacert.pem', and put this path in /etc/ldap/ldap.conf, regardless it's a server machine or a client. Also, 'TLS_REQCERT demand' seems good addition to make sure clients establish an encrypted communication (although OpenLDAP utility client programs ignore it).

I revise my previous report in following 2 sections.

In 1-4.
--- old lines ---
> Edit a line in /etc/ldap/ldap.conf. (GnuTLS needs it?)
>
> TLS_CACERT /etc/ssl/certs/cacert.pem
--- replaced with ---
Edit /etc/ldap/ldap.conf and have these two lines.

TLS_REQCERT demand
TLS_CACERT /etc/ssl/certs/cacert.pem
--- end ---

In 1-5.
--- old lines --
Then add a line:

ssl start_tls

You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
--- replaced with ---
Then add a line:

ssl start_tls

- Edit /etc/ldap/ldap.conf and have these two lines, if you haven't done so yet.

TLS_REQCERT demand
TLS_CACERT /etc/ssl/certs/cacert.pem
--- end ---

This should be sufficient.

Chao.

Mystery solved.

In 1-5, I wrote:

> You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).

That's a lie. I leaned, for a CA certificate file to be automatically found, not only it must reside in standard folder, but it also has to be named based on it's hash value.
Our CA certificate file name is not. Nobody can find it, unless we tell them where it is, in one way or another.

These are the software we used and how they find where CA certificate is.

OpenLDAP utility client (ldapsearch, ldapmodify, ...)
  -> libldap
    -> 'TLS_CACERT' line in /etc/ldap/ldap.conf

libnss_ldap
  -> 'tls_cacertfile' line in /etc/ldap.conf
    -> libldap
      -> 'TLS_CACERT' line in /etc/ldap/ldap.conf

smbd
  -> libldap
    -> 'TLS_CACERT' line in /etc/ldap/ldap.conf

smbldap-tools
  -> 'cafile' line in /etc/smbldap-tools/smbldap.conf
    -> Net::LDAP

Server machine I configured did not need 'tls_cacertfile' line in /etc/ldap.conf, because I had 'TLS_CACERT' line in /etc/ldap/ldap.conf. But, on a client machine I didn't, libnss_ldap could not find CA certificate until I put 'tls_cacertfile' line in /etc/ldap.conf.

Apparently, one way (probably a better way) to do this is to use 'update-ca-certificates' command and have hash-based CA certificate file name under /etc/ssl/certs/.  But I feel describing all that may go beyond our purpose of simple OpenLDAP + TLS configuration.

So I'm going to stick with '/etc/ssl/certs/cacert.pem', and put this path in /etc/ldap/ldap.conf, regardless it's a server machine or a client. Also, 'TLS_REQCERT demand' seems good addition to make sure clients establish an encrypted communication (although OpenLDAP utility client programs ignore it).

I revise my previous report in following 2 sections.

In 1-4.
--- old lines ---
>	Edit a line in /etc/ldap/ldap.conf. (GnuTLS needs it?)
>
>		TLS_CACERT	/etc/ssl/certs/cacert.pem
--- replaced with ---
	Edit /etc/ldap/ldap.conf and have these two lines.

TLS_REQCERT	demand
		TLS_CACERT	/etc/ssl/certs/cacert.pem
--- end ---

In 1-5.
--- old lines --
	Then add a line:

ssl start_tls

You don't need to have 'tls_cacertfile' line. System will find CA certificate by itself as long as you put it in standard certificate folder (/etc/ssl/certs/).
--- replaced with ---
	Then add a line:

ssl start_tls

- Edit /etc/ldap/ldap.conf and have these two lines, if you haven't done so yet.

TLS_REQCERT	demand
		TLS_CACERT	/etc/ssl/certs/cacert.pem
--- end ---

This should be sufficient.

Chao.

Revision history for this message

Paul (pacun123) wrote on 2017-03-14:

#12

Hello,

was the indices problem ever resolved.

  $ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
    modifying entry "olcDatabase={1}hdb,cn=config"
    ldap_modify: No such object (32)
            matched DN: cn=config

I'm struggling to add them to my config.

Thanks in advance.

Revision history for this message

Nish Aravamudan (nacc) wrote on 2017-03-14:

#13

@Paul: this bug (based upon its title) is purely about the server guide. While we can open tasks for the samba issues, there seem to be multiple.

Can you file a bug against samba (or see if one already is) for the indices issue, and subscribe me (nacc) to it, and I will see if I can help get it resolved.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-05-11:

#14

Hi,

just a heads up. As mentioned elsewhere, this bug is highlighting a lot of issues that would be better dealt with in separate bugs. I already fixed quite a few and I'm working up to tackling the samba+ldap section soon. Once that happens, I'll go over what was mentioned here and file separate bugs where appropriate, and tackle them individually.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-05-11:

#15

If you want to check the current guide's state, you can branch lp:serverguide and build the html or pdf versions. I think https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation/BuildingDocumentation and/or https://wiki.ubuntu.com/DocumentationTeam/SystemDocumentation/Repository list the dependencies you need to install for the build.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-05-19:

#16

What is fixed already in the guide in trunk:
- backend change from hdb to mdb
- adding indexes
- SSL instructions

I'm now going over the steps to spot remaining issues.

Changed in serverguide:
assignee:	nobody → Andreas Hasenack (ahasenack)
status:	Confirmed → In Progress

Doug Smythies (dsmythies) on 2017-05-28

Changed in serverguide:
status:	In Progress → Fix Committed

Doug Smythies (dsmythies) on 2017-06-23

Changed in serverguide:
status:	Fix Committed → Fix Released

Ubuntu Server Guide

Samba and LDAP is completely out of date

Bug Description

Related branches

Other bug subscribers

Remote bug watches