I am having a problem with smbpasswd, an LDAP backend server and SSL/TLS certificates. The client machine that I run smbpasswd on is a Debian Etch machine, and the Ldap server is Sun DS running on Solaris. All the following occurs on the client.
When I disable SSL, by setting "ldap ssl = no" in smb.conf, the smbpasswd program works without errors.
When I set "ldap ssl = start tls", the following messages are printed by smbpasswd and there is a long timeout period before any password is asked by it
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
..... long delay .....
New SMB password:
Retype new SMB password:
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
smbpasswd: /tmp/buildd/openldap2-2.1.30/libraries/liblber/io.c:702: ber_get_next: Assertion `0' failed.
Aborted
I conducted some tests with "ldapsearch -ZZ". It was not working at first, but after I added the TLS_CACERT line to /etc/ldap/ldap.conf, /etc/libnss-ldap.conf and /etc/pam_ldap.conf, it started working. So relevant TLS sections in all those files are:
ssl start_tls
tls_checkpeer no
tls_cacertfile /path/to/ca-root.pem
TLS_CACERT /path/to/ca-root.pem
But the smbpasswd program continued giving the error.
I tried creating /etc/smbldap-tools/smbldap.conf file with following content (after consulting debian docs for smbldap-tools package) But as I see, smbpasswd comes with samba-common package and does not use the configuration for smbldap-tools utilities.
verify="optional"
cafile="/path/to/ca-root.pem"
My question is: How can I set which SSL CA Certificate is used by smbpasswd program ?
You don't specify which CA cert should the SSL client use; instead, you just append all CA certs to same file. Based on which CA signed the server cert, it tries to locate it in that root certs file.
You have run into a bug, and you are running openldap 2.2; upgrade it to the latest one: 2.4.x ldap. You would be fine then.