Replying to my own message here, but I continue to investigate my problem and can't explain what I see. I put together a small test program to connect to our ldap server using same parameters as smbd. Setting "ldap debug level = 1" in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the smbd output complaining of certificate signature failure.
smbd output:
[LDAP] ldap_simple_bind_s [LDAP] ldap_sasl_bind_s [LDAP] ldap_sasl_bind [LDAP] ldap_send_initial_request [LDAP] ldap_new_connection 1 1 0 [LDAP] ldap_int_open_connection [LDAP] ldap_connect_to_host: TCP ldap.spa.umn.edu:636 [LDAP] ldap_new_socket: 9 [LDAP] ldap_prepare_socket: 9 [LDAP] ldap_connect_to_host: Trying 128.101.220.24:636 [LDAP] ldap_pvt_connect: fd: 9 tm: -1 async: 0 [LDAP] attempting to connect: [LDAP] connect success [LDAP] TLS trace: SSL_connect:before/connect initialization [LDAP] TLS trace: SSL_connect:SSLv2/v3 write client hello A [LDAP] TLS trace: SSL_connect:SSLv3 read server hello A [LDAP] TLS certificate verification: depth: 3, err: 0, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root,[LDAP] issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root [LDAP] TLS certificate verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority,[LDAP] issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root [LDAP] TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA,[LDAP] issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority [LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [LDAP] TLS certificate verification: Error, certificate signature failure [LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [LDAP] TLS trace: SSL_connect:SSLv3 read server certificate A [LDAP] TLS trace: SSL_connect:SSLv3 read server done A [LDAP] TLS trace: SSL_connect:SSLv3 write client key exchange A [LDAP] TLS trace: SSL_connect:error in error [LDAP] TLS trace: SSL_connect:error in error [LDAP] TLS: can't connect: .
But my test program on same machine gives:
ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.spa.umn.edu:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 128.101.220.24:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 3, err: 0, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root TLS certificate verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority TLS certificate verification: depth: 0, err: 0, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu, issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read server session ticket A TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request
Same certificate chain, but one case verifies and the other doesn't...
I also stepped through smbd with gdb and verified that the parameters to ldap_simple_bind_s are the same as my test case.
Wonder if anyone can venture a guess how this might occur?
G.