SSL self-signed certificate error on Samba 4
OK, I solved my issue.
Followed this procedure to create self-signed certificate for Samba 4
Go to auto-generated certificate directory, remove existing ones and create your owns into same directory. then restart samba
# cd /usr/local/samba/private/tls ## if you compiled samba from sources
# cd /var/lib/samba/private/tls ## if you installed samba from repos
# rm *.pem
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem
Add this to your /etc/samba/smb.conf
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =
Then restart Samba
To make successful ldapsearch command follow this topic advice and add
TLS_REQCERT ALLOW
to your ldap.conf file.
One thing which kept me in error was that
openssl verify myCert.pem
will never work on my config (Debian 9.0 "Stretch" - OpenSSL 1.1.0f) I retried my keys under OpenSSL 1.0.2 and worked just fine. I'm not sure if it's caused by os or just openssl version...
Related videos on Youtube
Sam C
Updated on September 18, 2022Comments
-
Sam C over 1 year
I'm currently preparing migration to Samba 4 at my office, and facing issues in my lab network. Installed Samba 4 AD DC on a Debian 9 server, so far it's working properly, could join machines to the domain and access to Samba internal LDAP from external tools using unencrypted ldap://[IP] on port 389.
I'm now trying to configure LDAP access through SSL/TLS following this page instructions:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Wether i'm using autogenerated self-signed certificates or creating a custom one It always fail at the point of verifying the cert:
openssl verify -verbose cert.pem [...] error 18 at 0 depth lookup: self signed certificate error cert.pem: verification failed
I checked private key:
# openssl rsa -check -in key.pem RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
I tried to check if private key and cert are corresponding:
# openssl x509 -noout -modulus -in cert.pem | openssl md5 (stdin)= ce3ca7afcfe6a02ded1ed83938954940 # openssl rsa -noout -modulus -in key.pem | openssl md5 (stdin)= ce3ca7afcfe6a02ded1ed83938954940
Here's global section of my smb.conf file:
tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem
I also tried to move the auto-generated files from their original destination
/var/lib/samba/private/tls/
to
/etc/samba/tls/
and
/usr/local/samba/private/tls/
curl commands answers this:
#curl ldaps://host.domain.fr curl: (60) SSL certificate problem: unable to get local issuer certificate
But I successfully connect with a
# curl --insecure ldaps://host.domain.fr # curl --cacert /usr/local/samba/private/tls/ca.pem ldaps://host.domain.fr
Well, any advice about configuration or troubleshooting tips is warmly welcome!
-
krisFR over 6 yearsI am not sure your actual absolute paths are valid : e.g
/tls/cert.pem
. You shoud remove the extra/
at the beginning : e.gtls/cert.pem
(for keyfile, certfile, cafile). Then put your cert files in/usr/local/samba/private/tls/
-
Sam C over 6 yearsYou're right. It didn't solve entirely the issue, but progress were made. I edited the post
-
krisFR over 6 yearsFrom what i see it is working now (your very last curl command). You need to import the CA certificate on the client, this is kind of what you do when you specify
--cacert
whitin your last curl command.
-