Markus's picture
Markus - Mon, 2019/12/23 - 02:04

I have build  a Turnkey AD  server, but after 2 years the cert expired and when I try to replace the certs in /var/lib/samba/private/tls samba does not start anymore. Is there a documented process to change the certs ?  They are used for the ldaps connection. 


root@dc1 private/tls# ls -ltr
total 20
-rw------- 1 root root 3243 Dec 22 22:14 key.pem
-rw-r--r-- 1 root root 2025 Dec 22 22:14 cert.pem
-rw-r--r-- 1 root root 2021 Dec 22 22:14 ca.pem
 

The error is ldapsrv failed tstream_tls_params_server - NT_STATUS_CANT_ACCESS_DOMAIN_INFO

syslog:Dec 22 22:14:08 dc1 samba-ad-dc[11963]: Starting Samba AD DC daemon: samba.
syslog:Dec 22 22:14:08 dc1 samba[11974]: [2019/12/22 22:14:08.406394,  0] ../source4/smbd/server.c:488(binary_smbd_main)
syslog:Dec 22 22:14:08 dc1 samba[11974]:   samba: using 'standard' process model
syslog:Dec 22 22:14:08 dc1 samba[12013]: [2019/12/22 22:14:08.436129,  0] ../source4/ldap_server/ldap_server.c:947(ldapsrv_task_init)
syslog:Dec 22 22:14:08 dc1 samba[12013]:   ldapsrv failed tstream_tls_params_server - NT_STATUS_CANT_ACCESS_DOMAIN_INFO
syslog:Dec 22 22:14:08 dc1 samba[11974]: [2019/12/22 22:14:08.491434,  0] ../lib/util/become_daemon.c:124(daemon_ready)

 

Thank you

Markus
 

Forum: 
Support
Tags: 
samba tls ldaps
Jeremy Davis's picture

Jeremy Davis - Thu, 2020/01/02 - 08:48

First up, apologies on my slow response, but I've been having a little time off and was snowed under in the week prior and didn't get time to address your post.

Anyway, I'm not at all sure, but I think that it may be caused by the permissions which the key file has. Your output shows '-rw-------' (600) but it should be '-r--------' (400). So try fixing that and fingers crossed it will work. I.e.:

chmod 400 /var/lib/samba/private/tls/key.pem

If it still doesn't work, perhaps try setting those permissions for all of those files (AFAIK only the key file needs the tighter permissions, but perhaps not?).

Let us know how it goes and if that doesn't fix it, we'll try to dig a bit deeper.

Jeremy Davis's picture

Jeremy Davis - Thu, 2020/01/02 - 08:58

So I've just read that if you remove all those files, Samba should regenerate them itself?! TBH, I've never tried that so I can't be 100% sure, but perhaps that's worth a shot first? Although rather than delete them, personally, I'd be inclined to just rename them and see if it works. I.e:

find /var/lib/samba/private/tls/ -type f -name "*.pem" -exec mv {} {}.orig \;

Also, I just read somewhere else that 600 permissions should be ok for Samba (I think I may have been thinking of SSH keys).

Add new comment