On 01/08/2016 04:03 PM, Philip Guenther wrote:
On Fri, 8 Jan 2016, Graham Allan wrote:
Replying to my own message here, but I continue to investigate my problem and can't explain what I see. I put together a small test program to connect to our ldap server using same parameters as smbd. Setting "ldap debug level = 1" in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the smbd output complaining of certificate signature failure.
smbd output:
...
[LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [LDAP] TLS certificate verification: Error, certificate signature failure
Some certs verify, another doesn't: so what's different about that cert? Different signature hash algorithm, sha256 perhaps?
The cert is sha256 as it happens, but both smbd and the test case are connecting to the same ldap server, so receive the same certificate. I'm calling the same ldap library functions with the same parameters, which is what makes this so odd.
The smbd code does potentially call a few other ldap_set_option settings, eg referral behaviour, timeouts, attempt to upgrade to LDAPv3, but I don't see much really happening there in gdb - FWIW I tested skipping over these calls with no difference in result.
Are smbd and your test program linked against the same libldap version and openssl version?
They are, yes (I just posted ldd output in response to Quanah's reply).
Thanks for the ideas,
Graham