Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!

Ogłoszenie

Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.

#1  2011-01-03 19:27:54

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

[SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Skonfigurowalem sambe+ldapa wg tego: [url]http://stary.dug.net.pl/faq/faq-3-246-Samba___LDAP___Debian.php[/url].

Wszystko dziala elegancko, tylko teraz chcialem jeszcze dorzucic SSL/TSL, do osiagniecia czego skorzystalem z tego poradnika: [url]http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html[/url].
Tego niestety juz nie potrafie ogarnac, a zrobilem tak:

/etc/default/slapd:

Kod:

SLAPD_SERVICES="ldaps://127.0.0.1:636/

/etc/ldap/slapd.conf:

Kod:

TLSCACertificateFile /etc/ldap/cacert.pem
TLSCerificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
#TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSVerifyClient demand

/etc/ldap/ldap.conf:

Kod:

URI ldaps://127.0.0.1:636/
HOST localhost
PORT 636

TLS_CACERT /etc/ldap/cacert.pem
TLS_REQCERT demand

Co do powyzszego to do [i]TLSCipherSuite[/i] pochodza mi wartosci z:

Kod:

root@debian:~# gnutls-cli -l
Cipher suites:
TLS_ANON_DH_ARCFOUR_MD5                                 0x00, 0x18      SSL3.0
TLS_ANON_DH_3DES_EDE_CBC_SHA1                           0x00, 0x1b      SSL3.0
TLS_ANON_DH_AES_128_CBC_SHA1                            0x00, 0x34      SSL3.0
TLS_ANON_DH_AES_256_CBC_SHA1                            0x00, 0x3a      SSL3.0
TLS_ANON_DH_CAMELLIA_128_CBC_SHA1                       0x00, 0x46      TLS1.0
TLS_ANON_DH_CAMELLIA_256_CBC_SHA1                       0x00, 0x89      TLS1.0
TLS_PSK_SHA_ARCFOUR_SHA1                                0x00, 0x8a      TLS1.0
TLS_PSK_SHA_3DES_EDE_CBC_SHA1                           0x00, 0x8b      TLS1.0
TLS_PSK_SHA_AES_128_CBC_SHA1                            0x00, 0x8c      TLS1.0
TLS_PSK_SHA_AES_256_CBC_SHA1                            0x00, 0x8d      TLS1.0
TLS_DHE_PSK_SHA_ARCFOUR_SHA1                            0x00, 0x8e      TLS1.0
TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1                       0x00, 0x8f      TLS1.0
TLS_DHE_PSK_SHA_AES_128_CBC_SHA1                        0x00, 0x90      TLS1.0
TLS_DHE_PSK_SHA_AES_256_CBC_SHA1                        0x00, 0x91      TLS1.0
TLS_SRP_SHA_3DES_EDE_CBC_SHA1                           0xc0, 0x1a      TLS1.0
TLS_SRP_SHA_AES_128_CBC_SHA1                            0xc0, 0x1d      TLS1.0
TLS_SRP_SHA_AES_256_CBC_SHA1                            0xc0, 0x20      TLS1.0
TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1                       0xc0, 0x1c      TLS1.0
TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1                       0xc0, 0x1b      TLS1.0
TLS_SRP_SHA_DSS_AES_128_CBC_SHA1                        0xc0, 0x1f      TLS1.0
TLS_SRP_SHA_RSA_AES_128_CBC_SHA1                        0xc0, 0x1e      TLS1.0
TLS_SRP_SHA_DSS_AES_256_CBC_SHA1                        0xc0, 0x22      TLS1.0
TLS_SRP_SHA_RSA_AES_256_CBC_SHA1                        0xc0, 0x21      TLS1.0
TLS_DHE_DSS_ARCFOUR_SHA1                                0x00, 0x66      TLS1.0
TLS_DHE_DSS_3DES_EDE_CBC_SHA1                           0x00, 0x13      SSL3.0
TLS_DHE_DSS_AES_128_CBC_SHA1                            0x00, 0x32      SSL3.0
TLS_DHE_DSS_AES_256_CBC_SHA1                            0x00, 0x38      SSL3.0
TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1                       0x00, 0x44      TLS1.0
TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1                       0x00, 0x87      TLS1.0
TLS_DHE_RSA_3DES_EDE_CBC_SHA1                           0x00, 0x16      SSL3.0
TLS_DHE_RSA_AES_128_CBC_SHA1                            0x00, 0x33      SSL3.0
TLS_DHE_RSA_AES_256_CBC_SHA1                            0x00, 0x39      SSL3.0
TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1                       0x00, 0x45      TLS1.0
TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1                       0x00, 0x88      TLS1.0
TLS_RSA_NULL_MD5                                        0x00, 0x01      SSL3.0
TLS_RSA_EXPORT_ARCFOUR_40_MD5                           0x00, 0x03      SSL3.0
TLS_RSA_ARCFOUR_SHA1                                    0x00, 0x05      SSL3.0
TLS_RSA_ARCFOUR_MD5                                     0x00, 0x04      SSL3.0
TLS_RSA_3DES_EDE_CBC_SHA1                               0x00, 0x0a      SSL3.0
TLS_RSA_AES_128_CBC_SHA1                                0x00, 0x2f      SSL3.0
TLS_RSA_AES_256_CBC_SHA1                                0x00, 0x35      SSL3.0
TLS_RSA_CAMELLIA_128_CBC_SHA1                           0x00, 0x41      TLS1.0
TLS_RSA_CAMELLIA_256_CBC_SHA1                           0x00, 0x84      TLS1.0
Certificate types: X.509, OPENPGP
Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2
Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL
MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL
Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK
Compression: DEFLATE, NULL

I co najgorsze musze podawac takimi dlugimi nazwami, da sie to podac jakos prosciej tak zeby wymusic tylko szyfrowania bazujace na SSL3?

Teraz problemu:
1. Jak ustawie [i]TLSVerifyCert[/i] i [i]TLS_REQCERT[/i] na demand to mam cos takiego:

Kod:

root@debian:~# openssl s_client -connect localhost:636 -state -CAfile /etc/ldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=PL/ST=x/O=Kubkomowa/CN=kubkomowa.pl/emailAddress=x@y.com
verify return:1
depth=0 /C=PL/ST=x/L=y/O=Kubkomowa/CN=test.kubkomowa.pl/emailAddress=x@y.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
3464:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

logi:

Kod:

Jan  3 19:25:38 debian slapd[3460]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:34183 (IP=127.0.0.1:636)
Jan  3 19:25:38 debian slapd[3460]: conn=1 fd=13 closed (TLS negotiation failure)

Natomiast bez tego dziala bez problemu. Z tego co wygoglowalem to brakuje mi certyfikatu klienta ale nie mam pojecia jak mam go dodac/zrobic. :(

Nastepnym problemem jest:

Kod:

root@debian:~# ldapsearch -x -b ="dc=test,dc=kubkomowa,dc=pl"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

badz

Kod:

root@debian:~# ldapsearch
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Prosilbym o wskazowki, nie jestem w tym gdyz nie jestem w tym za bardzo obeznany.

Ostatnio edytowany przez kuebk (2011-01-04 14:13:03)

Offline

 

#2  2011-01-03 20:10:27

  kamikaze - Administrator

kamikaze
Administrator
Zarejestrowany: 2004-04-16

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

A wklej wynik polecenia:

Kod:

openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates

Offline

 

#3  2011-01-03 20:14:34

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Kod:

root@debian:~# openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates
issuer= /C=PL/ST=x/O=Kubkomowa/CN=kubkomowa.pl/emailAddress=x@y.com
subject= /C=PL/ST=x/L=y/O=Kubkomowa/CN=test.kubkomowa.pl/emailAddress=x@y.com
notBefore=Jan  3 15:34:55 2011 GMT
notAfter=Jan  3 15:34:55 2012 GMT

Offline

 

#4  2011-01-03 20:24:58

  kamikaze - Administrator

kamikaze
Administrator
Zarejestrowany: 2004-04-16

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

A w sumie można to było wyczytać z pierwszego posta. Zdaje mi się, że powinieneś skonfigurować serwer tak by działał na takim samym adresie jak issuer name w certyfikacie czyli kubkomowa.pl zamiast 127.0.0.1. I łącz się na kubkomowa.pl, ta nazwa jest porównywana z tym co w certyfikacie przy SSL handshake. Jeśli się nie zgadza może powodować taki błąd jak opisałeś. Spróbuj.

Offline

 

#5  2011-01-03 20:53:24

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Ok, zrobilem tak jak mowiles:

/etc/default/slapd:

Kod:

SLAPD_SERVICES="ldaps://test.kubkomowa.pl:636/

/etc/ldap/ldap.conf:

Kod:

URI ldaps://test.kubkomowa.pl:636/
HOST test.kubkomowa.pl

Certyfikaty sobie jeszcze raz wygenerowalem tak zebym mial na [i]test.kubkomowa.pl[/i] i problem jest dalej taki sam:

Kod:

root@debian:~/certs# openssl s_client -connect test.kubkomowa.pl:636 -state -CAfile /etc/ldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl
verify return:1
depth=0 /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
3785:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Kod:

root@debian:~/certs# openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates
issuer= /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl
subject= /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl
notBefore=Jan  3 19:46:11 2011 GMT
notAfter=Jan  3 19:46:11 2012 GMT

Offline

 

#6  2011-01-03 21:17:55

  kamikaze - Administrator

kamikaze
Administrator
Zarejestrowany: 2004-04-16

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

O coś wyczytałem (polecam). Chcesz mieć połączenie do LDAP-a szyfrowane czy chcesz także mieć autoryzację certyfikatem? Twoja konfiguracja wymaga dostarczenia certyfikatu przez klienta, opcja "TLSVerifyClient demand" , więc łącząc się przy pomocy openssl powinieneś go podać po opcji -cert. Pytanie co jest twoim zamierzeniem czy chcesz mieć tylko szyfrowanego LDAP-a czy także autoryzacje certyfikatem.

Offline

 

#7  2011-01-03 21:30:31

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Dzieki, cos sie ruszylo ale nie do konca, mianowicie

Kod:

root@debian:~/certs# openssl s_client -connect test.kubkomowa.pl:636 -state -CAfile /etc/ldap/cacert.pem -key /etc/smbldap-tools/ldap.client.key.pem -cert /etc/smbldap-tools/ldap.client.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
---
Server certificate
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
---
Acceptable client certificate CA names
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
---
SSL handshake has read 1132 bytes and written 1203 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 58E018390F16B3451D97EF409CCF348CD037356A4A9335BE3ACA60FEB83A9B4F
    Session-ID-ctx:
    Master-Key: 0CDC4508CBBCAE9006C3C00D3946D2CCCDB6472A56EE531F4727E1EA3FBF473FE6CB5E68200900109E64C5B11BC7088A
    Key-Arg   : None
    Start Time: 1294086367
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify

ale w logach mam:

Kod:

Jan  3 21:26:07 debian slapd[4127]: conn=4 fd=13 ACCEPT from IP=192.168.180.129:52865 (IP=192.168.180.129:636)
Jan  3 21:26:07 debian slapd[4127]: conn=4 fd=13 closed (TLS negotiation failure)

Domyslam sie ze problem moze byc podany CommonName w certyfikatach dla klienta ale nie wiem co mam tam wpisac. :(

EDIT: Co do dalszej czesci wypowiedzi to zalezy mi zarowno na szyfrowaniu jak i autoryzowaniu poszczegolnych klientow.

Ostatnio edytowany przez kuebk (2011-01-03 21:32:57)

Offline

 

#8  2011-01-03 22:26:03

  kamikaze - Administrator

kamikaze
Administrator
Zarejestrowany: 2004-04-16

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

[quote=kuebk]EDIT: Co do dalszej czesci wypowiedzi to zalezy mi zarowno na szyfrowaniu jak i autoryzowaniu poszczegolnych klientow.[/quote]
Autoryzowanie jak najbardziej, pytanie czy na pewno chcesz to robić przy użyciu certyfikatów. Mógłbyś użyć innych mechanizmów np. najprostsze login/hasło. Trzeba odróżnić dwie rzeczy: szyfrowanie połączenia i autoryzację. Szyfrowanie połączenia wymaga posiadania certyfikatu na serwerze bo używasz SSL/TLS, ale raczej nie oznacza konieczności używania certyfikatu klienta do autoryzacji. Są inne sposoby najlepiej poczytać: http://www.openldap.org/doc/admin24/security.html , http://www.openldap.org/doc/admin24/tls.html . W sumie nie mam wielkiego doświadczenia z LDAP, ale pewnie kwestia jest taka sama jak w przypadku serwera WWW, SMTP itp. Gdzie możesz mieć szyfrowane połączenia SSL/TLS, a autoryzacja najczęściej odbywa się przy pomocy pary login/hasło. Rzadziej stosuje się autoryzację wymagając certyfikatu klienta. Lepiej poczytaj dokumentację w całości będziesz wiedział wszystko, ja trochę nie mam na to czasu ;]

Offline

 

#9  2011-01-04 01:11:29

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Zrezygnowalem z autoryzacji klienta poprzez certyfikaty, wszystko juz prawie zrobilem tylko mam jeszcze kilka problemow, samba uparcie probuje robic StartTLS jak juz jest zrobione.

Kod:

[2011/01/04 01:50:45.408459,  3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
  [ 3013]: list trusted domains
[2011/01/04 01:50:45.415006,  0] lib/smbldap.c:731(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Operations error
[2011/01/04 01:50:45.415030,  1] lib/smbldap.c:1330(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2011/01/04 01:50:46.415748,  3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL
[2011/01/04 01:50:46.415840,  1] winbindd/winbindd_util.c:289(trustdom_recv)
  Could not receive trustdoms
[2011/01/04 01:55:45.408690,  3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
  [ 3013]: list trusted domains
[2011/01/04 01:55:45.415181,  0] lib/smbldap.c:731(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Operations error
[2011/01/04 01:55:45.415196,  1] lib/smbldap.c:1330(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2011/01/04 01:55:46.415999,  3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL
[2011/01/04 01:55:46.416086,  1] winbindd/winbindd_util.c:289(trustdom_recv)
  Could not receive trustdoms
[2011/01/04 02:00:45.412059,  3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
  [ 3013]: list trusted domains
[2011/01/04 02:00:45.418513,  0] lib/smbldap.c:731(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Operations error
[2011/01/04 02:00:45.418528,  1] lib/smbldap.c:1330(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2011/01/04 02:00:46.419439,  3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL
[2011/01/04 02:00:46.419530,  1] winbindd/winbindd_util.c:289(trustdom_recv)
  Could not receive trustdoms
[2011/01/04 02:05:45.412294,  3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
  [ 3013]: list trusted domains
[2011/01/04 02:05:45.419047,  0] lib/smbldap.c:731(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Operations error
[2011/01/04 02:05:45.419091,  1] lib/smbldap.c:1330(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2011/01/04 02:05:46.419608,  3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL
[2011/01/04 02:05:46.419693,  1] winbindd/winbindd_util.c:289(trustdom_recv)
  Could not receive trustdoms

W logach sladp wyglada to tak:

Kod:

Jan  4 01:08:33 debian slapd[3539]: conn=9 fd=17 ACCEPT from IP=192.168.180.129:35624 (IP=192.168.180.129:636)
Jan  4 01:08:33 debian slapd[3539]: conn=9 fd=17 TLS established tls_ssf=128 ssf=128
Jan  4 01:08:33 debian slapd[3539]: conn=9 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan  4 01:08:33 debian slapd[3539]: conn=9 op=0 STARTTLS
Jan  4 01:08:33 debian slapd[3539]: conn=9 op=0 RESULT oid= err=1 text=TLS already started
Jan  4 01:08:34 debian slapd[3539]: conn=9 op=1 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))"
Jan  4 01:08:34 debian slapd[3539]: conn=9 op=1 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Jan  4 01:08:34 debian slapd[3539]: conn=9 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required

Wyglada na to ze samba probuje zainicjowac TLS mimo tego ze juz jest co skutkuje err=1 a potem err=53.

Ostatnio edytowany przez kuebk (2011-01-04 02:07:54)

Offline

 

#10  2011-01-04 09:32:37

  kamikaze - Administrator

kamikaze
Administrator
Zarejestrowany: 2004-04-16

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

A ustawiłeś autoryzację połączenia samby z LDAP?

Offline

 

#11  2011-01-04 09:54:33

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Wydaje mi sie ze wszystko jest ustawione poprawnie, tymbardziej ze to tylko winbind cos grymasi.

Kod:

[global]
    workgroup = ELOSZKA
    netbios name = CZUPAKABRA
    server string = Samba PDC
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192

    os level = 65
    preferred master = yes
    local master = yes
    domain master = yes
    domain logons = yes

    security = user
    guest ok = no
    encrypt passwords = yes
    null passwords = no

    hosts allow = 127.0.0.1 192.168.1.0/24 192.168.180.0/24
    wins support = yes
    name resolve order = wins lmhosts host bcast
    dns proxy = no

    log file = /var/log/smb/log.%m
    log level = 3
    syslog = 0
    max log size = 1024
    ;hide unreadable = yes
    ;hide dot files = yes


    passdb backend = ldapsam:ldaps://test.kubkomowa.pl:636
    ldap suffix = dc=test,dc=kubkomowa,dc=pl
    ldap machine suffix = ou=Computers
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=admin,dc=test,dc=kubkomowa,dc=pl
    enable privileges = yes

    logon home = \\%L\%U
    logon path = \\%L\profiles
    logon drive = Z:
    logon script = logon.cmd

    time server = yes

    ldap ssl = no
    ldap passwd sync = yes
    ldap delete dn = yes
    passwd program = /usr/sbin/smbldap-passwd %u
    passwd chat = *New*password* %nn *Retype*new*password* %nn *all*authentication*tokens*updated*
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

    unix charset = ISO8859-2
    dos charset = CP852

    idmap backend = ldap:"ldaps://test.kubkomowa.pl:636"
    idmap alloc backend = ldap:"ldaps://test.kubkomowa.pl:636"
    idmap uid = 10000 - 20000
    idmap gid = 10000 - 20000

Chociaz jak teraz robie tak:

Kod:

debian:~# wbinfo -i test8
test8:*:3009:512:test8:/home/ELOSZKA/test8:/bin/false

To po logach wyglada na to ze problem przez noc przestal wystepowac

Kod:

[2011/01/04 10:47:39.020394,  3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
  [ 3015]: list trusted domains
[2011/01/04 10:47:39.177549,  3] winbindd/winbindd_misc.c:352(winbindd_interface_version)
  [ 3673]: request interface version
[2011/01/04 10:47:39.177616,  3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
  [ 3673]: request location of privileged pipe
[2011/01/04 10:47:39.177699,  3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
  getpwnam test8
[2011/01/04 10:47:39.178596,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: test8
[2011/01/04 10:47:39.180168,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: test8

Kod:

Jan  4 10:47:39 debian slapd[2706]: conn=4 op=24 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(objectClass=sambaTrustedDomainPassword)"
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=24 SRCH attr=sambaDomainName sambaSID
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=24 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=25 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(uid=test8)(objectClass=sambaSamAccount))"
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=25 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos
Jan  4 10:47:39 debian slapd[2706]: <= bdb_equality_candidates: (uid) not indexed
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=25 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=26 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=0 deref=0 filter="(objectClass=sambaDomain)"
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=26 SRCH attr=sambaPwdHistoryLength
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=27 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=0 deref=0 filter="(objectClass=sambaDomain)"
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=27 SRCH attr=sambaMaxPwdAge
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=27 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=28 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(sambaSID=s-1-5-21-2559545835-4069677334-2214471925-7018)(objectClass=sambaSamAccount))"
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=28 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos
Jan  4 10:47:39 debian slapd[2706]: <= bdb_equality_candidates: (sambaSID) not indexed
Jan  4 10:47:39 debian slapd[2706]: conn=4 op=28 SEARCH RESULT tag=101 err=0 nentries=1 text=

Aczkolwiek nie wiem czy w taki sposob jestem w stanie powtorzyc blad z poprzedniego posta.

Ostatnio edytowany przez kuebk (2011-01-04 10:50:16)

Offline

 

#12  2011-01-04 11:13:37

  kamikaze - Administrator

kamikaze
Administrator
Zarejestrowany: 2004-04-16

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Czyli wszystko już gra? Jeśli tak do następnego problemu ;]

Offline

 

#13  2011-01-04 14:12:32

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

No wyglada na to ze tak, tyle ze do nie wiem czemu ostatni problem wystepowal i czemu sam sie naprawil.
Mam wrazenie ze restart maszyny czasami daje wiecej niz restart samby.

Bardzo dziekuje za pomoc. :)

Do pelni szczescia dorobilem jeszcze jedna zmiane w smb.conf,
bylo:

Kod:

    idmap backend = ldap:"ldaps://test.kubkomowa.pl:636"
    idmap alloc backend = ldap:"ldaps://test.kubkomowa.pl:636"
    idmap uid = 10000 - 20000
    idmap gid = 10000 - 20000

jest:

Kod:

    idmap config ELOSZKA: default = yes
    idmap config ELOSZKA: readonly = no
    idmap config ELOSZKA: backend = ldap
    idmap config ELOSZKA: ldap_url = ldaps://test.kubkomowa.pl
    idmap config ELOSZKA: ldap_base_dn = ou=Idmap,dc=test,dc=kubkomowa,dc=pl
    idmap config ELOSZKA: ldap_user_dn = cn=admin,dc=test,dc=kubkomowa,dc=pl
    idmap config ELOSZKA: range = 10000 - 20000

    idmap alloc backend = ldap
    idmap alloc config: ldap_url = ldaps://test.kubkomowa.pl
    idmap alloc config: ldap_base_dn = ou=Idmap,dc=test,dc=kubkomowa,dc=pl
    idmap alloc config: ldap_user_dn = cn=admin,dc=test,dc=kubkomowa,dc=pl

Na poprzedniej wersji konfiguracji dla idmap nie wiem czemu najpierw chcial mi sie laczyc z backendem w postaci passdb a nie ldap.

Ostatnio edytowany przez kuebk (2011-01-04 18:32:15)

Offline

 

#14  2011-01-07 01:38:57

  kuebk - Użytkownik

kuebk
Użytkownik
Zarejestrowany: 2010-11-27

Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.

Dalej mam jakas dupe z tym winbindem,
logi:

Kod:

==> log.winbindd-idmap <==
[2011/01/07 01:34:22.803153,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/01/07 01:34:22.803181,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/07 01:34:22.803197,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/01/07 01:34:22.803213,  3] winbindd/idmap.c:359(idmap_init_default_domain)
  idmap_init: using 'tdb' as remote backend
[2011/01/07 01:34:22.803230,  3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init)
  Warning: 'idmap uid' not set!
[2011/01/07 01:34:22.803245,  3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init)
  Warning: 'idmap gid' not set!
[2011/01/07 01:34:22.803260,  1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
  idmap uid missing
[2011/01/07 01:34:22.803304,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
  Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration
[2011/01/07 01:34:22.803326,  1] winbindd/idmap.c:321(idmap_init_domain)
  idmap initialization returned NT_STATUS_UNSUCCESSFUL
[2011/01/07 01:34:22.804319,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/01/07 01:34:22.804340,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/07 01:34:22.804356,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/01/07 01:34:22.804372,  3] winbindd/idmap.c:359(idmap_init_default_domain)
  idmap_init: using 'tdb' as remote backend
[2011/01/07 01:34:22.804387,  3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init)
  Warning: 'idmap uid' not set!
[2011/01/07 01:34:22.804402,  3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init)
  Warning: 'idmap gid' not set!
[2011/01/07 01:34:22.804417,  1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
  idmap uid missing
[2011/01/07 01:34:22.804451,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
  Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration
[2011/01/07 01:34:22.804472,  1] winbindd/idmap.c:321(idmap_init_domain)
  idmap initialization returned NT_STATUS_UNSUCCESSFUL
[2011/01/07 01:34:22.804489,  3] winbindd/idmap.c:670(idmap_new_mapping)
  no default domain, no place to write
[2011/01/07 01:34:22.805627,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/01/07 01:34:22.805648,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/07 01:34:22.805664,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/01/07 01:34:22.805681,  1] winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
  idmap uid or idmap gid missing
[2011/01/07 01:34:22.805697,  0] winbindd/idmap.c:589(idmap_alloc_init)
  ERROR: Initialization failed for alloc backend, deferred!
[2011/01/07 01:34:22.808602,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/01/07 01:34:22.808624,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/07 01:34:22.808639,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/01/07 01:34:22.808655,  3] winbindd/idmap.c:359(idmap_init_default_domain)
  idmap_init: using 'tdb' as remote backend
[2011/01/07 01:34:22.808671,  3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init)
  Warning: 'idmap uid' not set!
[2011/01/07 01:34:22.808685,  3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init)
  Warning: 'idmap gid' not set!
[2011/01/07 01:34:22.808699,  1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
  idmap uid missing
[2011/01/07 01:34:22.808735,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
  Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration
[2011/01/07 01:34:22.808757,  1] winbindd/idmap.c:321(idmap_init_domain)
  idmap initialization returned NT_STATUS_UNSUCCESSFUL
[2011/01/07 01:34:22.809980,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/01/07 01:34:22.809998,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/07 01:34:22.810015,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/01/07 01:34:22.810033,  1] winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init)
  idmap uid or idmap gid missing
[2011/01/07 01:34:22.810048,  0] winbindd/idmap.c:589(idmap_alloc_init)
  ERROR: Initialization failed for alloc backend, deferred!
[2011/01/07 01:34:22.811787,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
  idmap_alloc module tdb already registered!
[2011/01/07 01:34:22.811813,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module passdb already registered!
[2011/01/07 01:34:22.811830,  0] winbindd/idmap.c:149(smb_register_idmap)
  Idmap module nss already registered!
[2011/01/07 01:34:22.811845,  3] winbindd/idmap.c:359(idmap_init_default_domain)
  idmap_init: using 'tdb' as remote backend
[2011/01/07 01:34:22.811862,  3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init)
  Warning: 'idmap uid' not set!
[2011/01/07 01:34:22.811880,  3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init)
  Warning: 'idmap gid' not set!
[2011/01/07 01:34:22.811895,  1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
  idmap uid missing
[2011/01/07 01:34:22.811931,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
  Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration
[2011/01/07 01:34:22.811953,  1] winbindd/idmap.c:321(idmap_init_domain)
  idmap initialization returned NT_STATUS_UNSUCCESSFUL
[2011/01/07 01:34:22.811970,  3] winbindd/idmap.c:670(idmap_new_mapping)
  no default domain, no place to write

smb.conf:

Kod:

    idmap uid = 10000 - 20000
    idmap gid = 10000 - 20000

    idmap config ELOSZKA: default = yes
    idmap config ELOSZKA: readonly = no
    idmap config ELOSZKA: backend = ldap
    idmap config ELOSZKA: ldap_url = ldaps://ldap.test.kubkomowa.pl
    idmap config ELOSZKA: ldap_base_dn = ou=Idmap,dc=ldap,dc=test,dc=kubkomowa,dc=pl
    idmap config ELOSZKA: ldap_user_dn = cn=admin,dc=ldap,dc=test,dc=kubkomowa,dc=pl
    idmap config ELOSZKA: range = 10000 - 20000

    idmap alloc backend = ldap
    idmap alloc config: ldap_url = ldaps://ldap.test.kubkomowa.pl
    idmap alloc config: ldap_base_dn = ou=Idmap,dc=ldap,dc=test,dc=kubkomowa,dc=pl
    idmap alloc config: ldap_user_dn = cn=admin,dc=ldap,dc=test,dc=kubkomowa,dc=pl
    idmap alloc config: range = 10000 - 20000

Nie rozumiem czemu sie rzuca o parametry idmap uid, idmap gid skoro sa ustawione.

Offline

 

Stopka forum

Powered by PunBB
© Copyright 2002–2005 Rickard Andersson
To nie jest tylko forum, to nasza mała ojczyzna ;-)

[ Generated in 0.010 seconds, 9 queries executed ]

Informacje debugowania

Time (s) Query
0.00011 SET CHARSET latin2
0.00004 SET NAMES latin2
0.00098 SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.116.49.243' WHERE u.id=1
0.00064 REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '18.116.49.243', 1732564679)
0.00045 SELECT * FROM punbb_online WHERE logged<1732564379
0.00062 SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=18029 AND t.moved_to IS NULL
0.00005 SELECT search_for, replace_with FROM punbb_censoring
0.00228 SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=18029 ORDER BY p.id LIMIT 0,25
0.00108 UPDATE punbb_topics SET num_views=num_views+1 WHERE id=18029
Total query time: 0.00625 s