On Fri, 8 Jan 2016, Graham Allan wrote:
Replying to my own message here, but I continue to investigate my problem and can't explain what I see. I put together a small test program to connect to our ldap server using same parameters as smbd. Setting "ldap debug level = 1" in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the smbd output complaining of certificate signature failure.
smbd output:
...
[LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [LDAP] TLS certificate verification: Error, certificate signature failure
Some certs verify, another doesn't: so what's different about that cert? Different signature hash algorithm, sha256 perhaps?
...
But my test program on same machine gives:
...
TLS certificate verification: depth: 0, err: 0, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu, issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
...
Same certificate chain, but one case verifies and the other doesn't...
I also stepped through smbd with gdb and verified that the parameters to ldap_simple_bind_s are the same as my test case.
Wonder if anyone can venture a guess how this might occur?
Are smbd and your test program linked against the same libldap version and openssl version?
Philip Guenther