The Samba-Bugzilla – Bug 10143
Mozldap C-SDK is not supported
Last modified: 2014-02-20 23:11:15 UTC
Created attachment 9216 [details]
diff agains 3.6.15 (3.6.18 only has offset in configure.in)
There are rfc-1823 extensions used in Samba. Even if both C-SDKs (Mozldap and OpenLDAP) is doing the mostly same some small differences can be encountered. Especially the crypro (ldap-ssl and StartTLS) support need some small improvements.
Main difference is the path to certificates and keys should be set by application on API. New smb.conf options are needed to set those paths.
added options are:
ldap certdb dir = <dir>
ldap keydb dir = <dir>
ldap certdb dir = /etc/samba/private/
ldap keydb dir = /etc/samba/private/
Also the ldap-ssl protocol (ldap connection is stated as secured directly) is supprted by the following settings in smb.conf:
passdb backend = ldapsam:ldaps://myserv.mydom.com:632/
ldap ssl = no # there is no "start tls" option but "ldaps" url scheme switch ssl-on
NSS_STRICT_NOFORK=DISABLED; export NSS_STRICT_NOFORK
...should be set in smbd environment. Otherwise the ldap_bind_s() in session (child) smbd will fail ...at least on Solaris ...due of NSS/NSPR interaction with fork() ...crypto engine is reset but stay initialized so the crypto-engine will evaluate as the keys are dis-synchronized.
*** Bug 3504 has been marked as a duplicate of this bug. ***
thanks, I'll try to have a look at this. Is this patch actually based on the patch from bug #3504 ?
If we need this NSS_STRICT_NOFORK hack - do you have some pointers where this is documented? We should code this into smbd instead of having to set things like this in the envronment then.
I apologize for long response
(In reply to comment #3)
> thanks, I'll try to have a look at this. Is this patch actually based on the
> patch from bug #3504 ?
Yes. It is remake for Samba 3.6 ...slightly extended for key/pasphrase auth on ssldap.
> If we need this NSS_STRICT_NOFORK hack - do you have some pointers where this
> is documented? We should code this into smbd instead of having to set things
> like this in the environment then.
Yes it could be more safe but currently the Samba run under SMF(5) on Solaris so the environment variable is set in run-method.
Another unfinished is the key/pasphrase auth. My idea was to use secrets.tdb to store the pasphrase (similar to ldap passwd set by smbpasswd util.) but I am no so familiar with this interface. This feature was shown as not required so I did not finished it.