Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Ogłoszenie
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Strony: 1
- Forum Debian Users Gang
- » Sieci i serwery
- » [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
#1 2011-01-03 19:27:54
kuebk - 
Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
[SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Skonfigurowalem sambe+ldapa wg tego: [url]http://stary.dug.net.pl/faq/faq-3-246-Samba___LDAP___Debian.php[/url].
Wszystko dziala elegancko, tylko teraz chcialem jeszcze dorzucic SSL/TSL, do osiagniecia czego skorzystalem z tego poradnika: [url]http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html[/url].
Tego niestety juz nie potrafie ogarnac, a zrobilem tak:
/etc/default/slapd:
Kod:
SLAPD_SERVICES="ldaps://127.0.0.1:636/
/etc/ldap/slapd.conf:
Kod:
TLSCACertificateFile /etc/ldap/cacert.pem TLSCerificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem #TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSVerifyClient demand
/etc/ldap/ldap.conf:
Kod:
URI ldaps://127.0.0.1:636/ HOST localhost PORT 636 TLS_CACERT /etc/ldap/cacert.pem TLS_REQCERT demand
Co do powyzszego to do [i]TLSCipherSuite[/i] pochodza mi wartosci z:
Kod:
root@debian:~# gnutls-cli -l Cipher suites: TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0 TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0 TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0 TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0 TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0 TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0 TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0 TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0 TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0 TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0 TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0 TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0 TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0 TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0 TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0 TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0 TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0 TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0 TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0 TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0 TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0 TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0 TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0 TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0 TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0 TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0 TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0 TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0 TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0 TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0 TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0 TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0 Certificate types: X.509, OPENPGP Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK Compression: DEFLATE, NULL
I co najgorsze musze podawac takimi dlugimi nazwami, da sie to podac jakos prosciej tak zeby wymusic tylko szyfrowania bazujace na SSL3?
Teraz problemu:
1. Jak ustawie [i]TLSVerifyCert[/i] i [i]TLS_REQCERT[/i] na demand to mam cos takiego:
Kod:
root@debian:~# openssl s_client -connect localhost:636 -state -CAfile /etc/ldap/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=PL/ST=x/O=Kubkomowa/CN=kubkomowa.pl/emailAddress=x@y.com verify return:1 depth=0 /C=PL/ST=x/L=y/O=Kubkomowa/CN=test.kubkomowa.pl/emailAddress=x@y.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 3464:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
logi:
Kod:
Jan 3 19:25:38 debian slapd[3460]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:34183 (IP=127.0.0.1:636) Jan 3 19:25:38 debian slapd[3460]: conn=1 fd=13 closed (TLS negotiation failure)
Natomiast bez tego dziala bez problemu. Z tego co wygoglowalem to brakuje mi certyfikatu klienta ale nie mam pojecia jak mam go dodac/zrobic. :(
Nastepnym problemem jest:
Kod:
root@debian:~# ldapsearch -x -b ="dc=test,dc=kubkomowa,dc=pl" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
badz
Kod:
root@debian:~# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Prosilbym o wskazowki, nie jestem w tym gdyz nie jestem w tym za bardzo obeznany.
Ostatnio edytowany przez kuebk (2011-01-04 14:13:03)
Offline
#2 2011-01-03 20:10:27
kamikaze - Administrator
- kamikaze
- Administrator
- Zarejestrowany: 2004-04-16
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
A wklej wynik polecenia:
Kod:
openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates
Offline
#3 2011-01-03 20:14:34
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Kod:
root@debian:~# openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates issuer= /C=PL/ST=x/O=Kubkomowa/CN=kubkomowa.pl/emailAddress=x@y.com subject= /C=PL/ST=x/L=y/O=Kubkomowa/CN=test.kubkomowa.pl/emailAddress=x@y.com notBefore=Jan 3 15:34:55 2011 GMT notAfter=Jan 3 15:34:55 2012 GMT
Offline
#4 2011-01-03 20:24:58
kamikaze - Administrator
- kamikaze
- Administrator
- Zarejestrowany: 2004-04-16
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
A w sumie można to było wyczytać z pierwszego posta. Zdaje mi się, że powinieneś skonfigurować serwer tak by działał na takim samym adresie jak issuer name w certyfikacie czyli kubkomowa.pl zamiast 127.0.0.1. I łącz się na kubkomowa.pl, ta nazwa jest porównywana z tym co w certyfikacie przy SSL handshake. Jeśli się nie zgadza może powodować taki błąd jak opisałeś. Spróbuj.
Offline
#5 2011-01-03 20:53:24
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Ok, zrobilem tak jak mowiles:
/etc/default/slapd:
Kod:
SLAPD_SERVICES="ldaps://test.kubkomowa.pl:636/
/etc/ldap/ldap.conf:
Kod:
URI ldaps://test.kubkomowa.pl:636/ HOST test.kubkomowa.pl
Certyfikaty sobie jeszcze raz wygenerowalem tak zebym mial na [i]test.kubkomowa.pl[/i] i problem jest dalej taki sam:
Kod:
root@debian:~/certs# openssl s_client -connect test.kubkomowa.pl:636 -state -CAfile /etc/ldap/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl verify return:1 depth=0 /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 3785:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Kod:
root@debian:~/certs# openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates issuer= /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl subject= /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl notBefore=Jan 3 19:46:11 2011 GMT notAfter=Jan 3 19:46:11 2012 GMT
Offline
#6 2011-01-03 21:17:55
kamikaze - Administrator
- kamikaze
- Administrator
- Zarejestrowany: 2004-04-16
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
O coś wyczytałem (polecam). Chcesz mieć połączenie do LDAP-a szyfrowane czy chcesz także mieć autoryzację certyfikatem? Twoja konfiguracja wymaga dostarczenia certyfikatu przez klienta, opcja "TLSVerifyClient demand" , więc łącząc się przy pomocy openssl powinieneś go podać po opcji -cert. Pytanie co jest twoim zamierzeniem czy chcesz mieć tylko szyfrowanego LDAP-a czy także autoryzacje certyfikatem.
Offline
#7 2011-01-03 21:30:31
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Dzieki, cos sie ruszylo ale nie do konca, mianowicie
Kod:
root@debian:~/certs# openssl s_client -connect test.kubkomowa.pl:636 -state -CAfile /etc/ldap/cacert.pem -key /etc/smbldap-tools/ldap.client.key.pem -cert /etc/smbldap-tools/ldap.client.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
---
Server certificate
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
---
Acceptable client certificate CA names
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl
---
SSL handshake has read 1132 bytes and written 1203 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 58E018390F16B3451D97EF409CCF348CD037356A4A9335BE3ACA60FEB83A9B4F
Session-ID-ctx:
Master-Key: 0CDC4508CBBCAE9006C3C00D3946D2CCCDB6472A56EE531F4727E1EA3FBF473FE6CB5E68200900109E64C5B11BC7088A
Key-Arg : None
Start Time: 1294086367
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notifyale w logach mam:
Kod:
Jan 3 21:26:07 debian slapd[4127]: conn=4 fd=13 ACCEPT from IP=192.168.180.129:52865 (IP=192.168.180.129:636) Jan 3 21:26:07 debian slapd[4127]: conn=4 fd=13 closed (TLS negotiation failure)
Domyslam sie ze problem moze byc podany CommonName w certyfikatach dla klienta ale nie wiem co mam tam wpisac. :(
EDIT: Co do dalszej czesci wypowiedzi to zalezy mi zarowno na szyfrowaniu jak i autoryzowaniu poszczegolnych klientow.
Ostatnio edytowany przez kuebk (2011-01-03 21:32:57)
Offline
#8 2011-01-03 22:26:03
kamikaze - Administrator
- kamikaze
- Administrator
- Zarejestrowany: 2004-04-16
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
[quote=kuebk]EDIT: Co do dalszej czesci wypowiedzi to zalezy mi zarowno na szyfrowaniu jak i autoryzowaniu poszczegolnych klientow.[/quote]
Autoryzowanie jak najbardziej, pytanie czy na pewno chcesz to robić przy użyciu certyfikatów. Mógłbyś użyć innych mechanizmów np. najprostsze login/hasło. Trzeba odróżnić dwie rzeczy: szyfrowanie połączenia i autoryzację. Szyfrowanie połączenia wymaga posiadania certyfikatu na serwerze bo używasz SSL/TLS, ale raczej nie oznacza konieczności używania certyfikatu klienta do autoryzacji. Są inne sposoby najlepiej poczytać: http://www.openldap.org/doc/admin24/security.html , http://www.openldap.org/doc/admin24/tls.html . W sumie nie mam wielkiego doświadczenia z LDAP, ale pewnie kwestia jest taka sama jak w przypadku serwera WWW, SMTP itp. Gdzie możesz mieć szyfrowane połączenia SSL/TLS, a autoryzacja najczęściej odbywa się przy pomocy pary login/hasło. Rzadziej stosuje się autoryzację wymagając certyfikatu klienta. Lepiej poczytaj dokumentację w całości będziesz wiedział wszystko, ja trochę nie mam na to czasu ;]
Offline
#9 2011-01-04 01:11:29
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Zrezygnowalem z autoryzacji klienta poprzez certyfikaty, wszystko juz prawie zrobilem tylko mam jeszcze kilka problemow, samba uparcie probuje robic StartTLS jak juz jest zrobione.
Kod:
[2011/01/04 01:50:45.408459, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 01:50:45.415006, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 01:50:45.415030, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 01:50:46.415748, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 01:50:46.415840, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms [2011/01/04 01:55:45.408690, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 01:55:45.415181, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 01:55:45.415196, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 01:55:46.415999, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 01:55:46.416086, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms [2011/01/04 02:00:45.412059, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 02:00:45.418513, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 02:00:45.418528, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 02:00:46.419439, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 02:00:46.419530, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms [2011/01/04 02:05:45.412294, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 02:05:45.419047, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 02:05:45.419091, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 02:05:46.419608, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 02:05:46.419693, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms
W logach sladp wyglada to tak:
Kod:
Jan 4 01:08:33 debian slapd[3539]: conn=9 fd=17 ACCEPT from IP=192.168.180.129:35624 (IP=192.168.180.129:636) Jan 4 01:08:33 debian slapd[3539]: conn=9 fd=17 TLS established tls_ssf=128 ssf=128 Jan 4 01:08:33 debian slapd[3539]: conn=9 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 4 01:08:33 debian slapd[3539]: conn=9 op=0 STARTTLS Jan 4 01:08:33 debian slapd[3539]: conn=9 op=0 RESULT oid= err=1 text=TLS already started Jan 4 01:08:34 debian slapd[3539]: conn=9 op=1 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))" Jan 4 01:08:34 debian slapd[3539]: conn=9 op=1 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jan 4 01:08:34 debian slapd[3539]: conn=9 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required
Wyglada na to ze samba probuje zainicjowac TLS mimo tego ze juz jest co skutkuje err=1 a potem err=53.
Ostatnio edytowany przez kuebk (2011-01-04 02:07:54)
Offline
#10 2011-01-04 09:32:37
kamikaze - Administrator
- kamikaze
- Administrator
- Zarejestrowany: 2004-04-16
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
A ustawiłeś autoryzację połączenia samby z LDAP?
Offline
#11 2011-01-04 09:54:33
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Wydaje mi sie ze wszystko jest ustawione poprawnie, tymbardziej ze to tylko winbind cos grymasi.
Kod:
[global]
workgroup = ELOSZKA
netbios name = CZUPAKABRA
server string = Samba PDC
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192
os level = 65
preferred master = yes
local master = yes
domain master = yes
domain logons = yes
security = user
guest ok = no
encrypt passwords = yes
null passwords = no
hosts allow = 127.0.0.1 192.168.1.0/24 192.168.180.0/24
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
log file = /var/log/smb/log.%m
log level = 3
syslog = 0
max log size = 1024
;hide unreadable = yes
;hide dot files = yes
passdb backend = ldapsam:ldaps://test.kubkomowa.pl:636
ldap suffix = dc=test,dc=kubkomowa,dc=pl
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=test,dc=kubkomowa,dc=pl
enable privileges = yes
logon home = \\%L\%U
logon path = \\%L\profiles
logon drive = Z:
logon script = logon.cmd
time server = yes
ldap ssl = no
ldap passwd sync = yes
ldap delete dn = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %nn *Retype*new*password* %nn *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
unix charset = ISO8859-2
dos charset = CP852
idmap backend = ldap:"ldaps://test.kubkomowa.pl:636"
idmap alloc backend = ldap:"ldaps://test.kubkomowa.pl:636"
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000Chociaz jak teraz robie tak:
Kod:
debian:~# wbinfo -i test8 test8:*:3009:512:test8:/home/ELOSZKA/test8:/bin/false
To po logach wyglada na to ze problem przez noc przestal wystepowac
Kod:
[2011/01/04 10:47:39.020394, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3015]: list trusted domains [2011/01/04 10:47:39.177549, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 3673]: request interface version [2011/01/04 10:47:39.177616, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 3673]: request location of privileged pipe [2011/01/04 10:47:39.177699, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam test8 [2011/01/04 10:47:39.178596, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: test8 [2011/01/04 10:47:39.180168, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: test8
Kod:
Jan 4 10:47:39 debian slapd[2706]: conn=4 op=24 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(objectClass=sambaTrustedDomainPassword)" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=24 SRCH attr=sambaDomainName sambaSID Jan 4 10:47:39 debian slapd[2706]: conn=4 op=24 SEARCH RESULT tag=101 err=0 nentries=0 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=25 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(uid=test8)(objectClass=sambaSamAccount))" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=25 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos Jan 4 10:47:39 debian slapd[2706]: <= bdb_equality_candidates: (uid) not indexed Jan 4 10:47:39 debian slapd[2706]: conn=4 op=25 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=26 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=0 deref=0 filter="(objectClass=sambaDomain)" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=26 SRCH attr=sambaPwdHistoryLength Jan 4 10:47:39 debian slapd[2706]: conn=4 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=27 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=0 deref=0 filter="(objectClass=sambaDomain)" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=27 SRCH attr=sambaMaxPwdAge Jan 4 10:47:39 debian slapd[2706]: conn=4 op=27 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=28 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(sambaSID=s-1-5-21-2559545835-4069677334-2214471925-7018)(objectClass=sambaSamAccount))" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=28 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos Jan 4 10:47:39 debian slapd[2706]: <= bdb_equality_candidates: (sambaSID) not indexed Jan 4 10:47:39 debian slapd[2706]: conn=4 op=28 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aczkolwiek nie wiem czy w taki sposob jestem w stanie powtorzyc blad z poprzedniego posta.
Ostatnio edytowany przez kuebk (2011-01-04 10:50:16)
Offline
#12 2011-01-04 11:13:37
kamikaze - Administrator
- kamikaze
- Administrator
- Zarejestrowany: 2004-04-16
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Czyli wszystko już gra? Jeśli tak do następnego problemu ;]
Offline
#13 2011-01-04 14:12:32
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
No wyglada na to ze tak, tyle ze do nie wiem czemu ostatni problem wystepowal i czemu sam sie naprawil.
Mam wrazenie ze restart maszyny czasami daje wiecej niz restart samby.
Bardzo dziekuje za pomoc. :)
Do pelni szczescia dorobilem jeszcze jedna zmiane w smb.conf,
bylo:
Kod:
idmap backend = ldap:"ldaps://test.kubkomowa.pl:636"
idmap alloc backend = ldap:"ldaps://test.kubkomowa.pl:636"
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000jest:
Kod:
idmap config ELOSZKA: default = yes
idmap config ELOSZKA: readonly = no
idmap config ELOSZKA: backend = ldap
idmap config ELOSZKA: ldap_url = ldaps://test.kubkomowa.pl
idmap config ELOSZKA: ldap_base_dn = ou=Idmap,dc=test,dc=kubkomowa,dc=pl
idmap config ELOSZKA: ldap_user_dn = cn=admin,dc=test,dc=kubkomowa,dc=pl
idmap config ELOSZKA: range = 10000 - 20000
idmap alloc backend = ldap
idmap alloc config: ldap_url = ldaps://test.kubkomowa.pl
idmap alloc config: ldap_base_dn = ou=Idmap,dc=test,dc=kubkomowa,dc=pl
idmap alloc config: ldap_user_dn = cn=admin,dc=test,dc=kubkomowa,dc=plNa poprzedniej wersji konfiguracji dla idmap nie wiem czemu najpierw chcial mi sie laczyc z backendem w postaci passdb a nie ldap.
Ostatnio edytowany przez kuebk (2011-01-04 18:32:15)
Offline
#14 2011-01-07 01:38:57
kuebk - Użytkownik
- kuebk
- Użytkownik
- Zarejestrowany: 2010-11-27
Re: [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Dalej mam jakas dupe z tym winbindem,
logi:
Kod:
==> log.winbindd-idmap <== [2011/01/07 01:34:22.803153, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.803181, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.803197, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.803213, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.803230, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.803245, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.803260, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.803304, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.803326, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.804319, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.804340, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.804356, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.804372, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.804387, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.804402, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.804417, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.804451, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.804472, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.804489, 3] winbindd/idmap.c:670(idmap_new_mapping) no default domain, no place to write [2011/01/07 01:34:22.805627, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.805648, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.805664, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.805681, 1] winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init) idmap uid or idmap gid missing [2011/01/07 01:34:22.805697, 0] winbindd/idmap.c:589(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! [2011/01/07 01:34:22.808602, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.808624, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.808639, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.808655, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.808671, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.808685, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.808699, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.808735, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.808757, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.809980, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.809998, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.810015, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.810033, 1] winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init) idmap uid or idmap gid missing [2011/01/07 01:34:22.810048, 0] winbindd/idmap.c:589(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! [2011/01/07 01:34:22.811787, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.811813, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.811830, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.811845, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.811862, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.811880, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.811895, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.811931, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.811953, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.811970, 3] winbindd/idmap.c:670(idmap_new_mapping) no default domain, no place to write
smb.conf:
Kod:
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
idmap config ELOSZKA: default = yes
idmap config ELOSZKA: readonly = no
idmap config ELOSZKA: backend = ldap
idmap config ELOSZKA: ldap_url = ldaps://ldap.test.kubkomowa.pl
idmap config ELOSZKA: ldap_base_dn = ou=Idmap,dc=ldap,dc=test,dc=kubkomowa,dc=pl
idmap config ELOSZKA: ldap_user_dn = cn=admin,dc=ldap,dc=test,dc=kubkomowa,dc=pl
idmap config ELOSZKA: range = 10000 - 20000
idmap alloc backend = ldap
idmap alloc config: ldap_url = ldaps://ldap.test.kubkomowa.pl
idmap alloc config: ldap_base_dn = ou=Idmap,dc=ldap,dc=test,dc=kubkomowa,dc=pl
idmap alloc config: ldap_user_dn = cn=admin,dc=ldap,dc=test,dc=kubkomowa,dc=pl
idmap alloc config: range = 10000 - 20000Nie rozumiem czemu sie rzuca o parametry idmap uid, idmap gid skoro sa ustawione.
Offline
Strony: 1
- Forum Debian Users Gang
- » Sieci i serwery
- » [SOLVED] Certyfikaty SSL/TLS i OpenLDAP + problemy.
Informacje debugowania
| Time (s) | Query |
|---|---|
| 0.00015 | SET CHARSET latin2 |
| 0.00007 | SET NAMES latin2 |
| 0.00180 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='3.21.244.231' WHERE u.id=1 |
| 0.00093 | REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '3.21.244.231', 1719366586) |
| 0.00091 | SELECT * FROM punbb_online WHERE logged<1719366286 |
| 0.00117 | DELETE FROM punbb_online WHERE ident='173.252.107.19' |
| 0.00084 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=18029 AND t.moved_to IS NULL |
| 0.00010 | SELECT search_for, replace_with FROM punbb_censoring |
| 0.00316 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=18029 ORDER BY p.id LIMIT 0,25 |
| 0.00089 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=18029 |
| Total query time: 0.01002 s | |