Задать вопрос
@KaLans

Как создать правильно сертификат LDAPS SAMBA DC?

Подскажите, что делаю не так при создании сертификата для ldaps?
[root@dc1 ~]# samba-tool domain info 127.0.0.1
spoiler
Forest           : site1.ru
Domain           : site1.ru
Netbios domain   : SITE1
DC name          : dc1.site1.ru
DC netbios name  : DC1
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name


Генерация сертификатов:
spoiler

[root@dc1 tls]# openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
...............................................................................+++++
e is 65537 (0x010001)


[root@dc1 tls]# openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) []:City123 st.
Locality Name (eg, city) []:City123
Organization Name (eg, company) []:site1
Organizational Unit Name (eg, section) []:IT
Common Name (e.g., your name or your server's hostname) []:DC1.site1.ru
Email Address []:admin@site1.ru



[root@dc1 tls]# openssl genrsa -out dc1.site1.ru.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
..............................................................................................................................................+++++
e is 65537 (0x010001)
[root@dc1 tls]# 


[root@dc1 tls]# openssl req -new -key dc1.site1.ru.key -out dc1.site1.ru.csr
-----
Country Name (2 letter code) [RU]:
State or Province Name (full name) []:City123 st.
Locality Name (eg, city) []:City123
Organization Name (eg, company) []:site1
Organizational Unit Name (eg, section) []:IT
Common Name (e.g., your name or your server's hostname) []:DC1.site1.ru
Email Address []:admin@site1.ru

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:site1.RU


[root@dc1 tls]# openssl x509 -req -in dc1.site1.ru.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out dc1.site1.ru.crt -days 5000
Signature ok
subject=C = RU, ST = City123 st., L = City123, O = site1, OU = IT, CN = DC1.site1.ru, emailAddress = admin@site1.ru
Getting CA Private Key



smb.conf
spoiler

# TLS
        tls enabled  = yes
        tls keyfile  = tls/dc1.site1.ru.key
        tls certfile = tls/dc1.site1.ru.crt
        tls cafile   = tls/rootCA.crt



Проверка:
Проверяю подключение на сервере dc1
spoiler

[root@dc1 ~]# ldapsearch -d 1 -H ldaps://dc1.site1.ru:636
ldap_url_parse_ext(ldaps://dc1.site1.ru:636)
ldap_create
ldap_url_parse_ext(ldaps://dc1.site1.ru:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.site1.ru:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying fe80:::e9ae 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 0, err: 18, subject: /C=RU/ST=City123 st./L=City123/O=site1/OU=IT/CN=DC1.site1.ru/emailAddress=admin@site1.ru, issuer: /C=RU/ST=City123 st./L=City123/O=site1/OU=IT/CN=DC1.site1.ru/emailAddress=admin@site1.ru
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate).
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)




[root@dc1 ~]# ldapsearch -h site1.ru -W -x -D "Administrator@site1.ru" -Z -b dc=site1,dc=ru "(cn=Administrator)" dn sAMAccountName
ldap_start_tls: Connect error (-11)
        additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate)
Enter LDAP Password: 
ldap_result: Can't contact LDAP server (-1)
[root@dc1 ~]#

  • Вопрос задан
  • 246 просмотров
Подписаться 1 Простой 5 комментариев
Пригласить эксперта
Ответы на вопрос 1
@KaLans Автор вопроса
Проблему решил. Сертификат создавал правильно, нужно было создать списки отзывов и все.
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы