I am having a problem with smbpasswd, an LDAP backend server and SSL/TLS certificates. The client machine that I run smbpasswd on is a Debian Etch machine, and the Ldap server is Sun DS running on Solaris. All the following occurs on the client.

When I disable SSL, by setting "ldap ssl = no" in smb.conf, the smbpasswd program works without errors.

When I set "ldap ssl = start tls", the following messages are printed by smbpasswd and there is a long timeout period before any password is asked by it

Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
..... long delay .....
New SMB password:
Retype new SMB password:
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
smbpasswd: /tmp/buildd/openldap2-2.1.30/libraries/liblber/io.c:702: ber_get_next: Assertion `0' failed.
Aborted

I conducted some tests with "ldapsearch -ZZ". It was not working at first, but after I added the TLS_CACERT line to /etc/ldap/ldap.conf, /etc/libnss-ldap.conf and /etc/pam_ldap.conf, it started working. So relevant TLS sections in all those files are:

ssl start_tls
tls_checkpeer no
tls_cacertfile /path/to/ca-root.pem
TLS_CACERT /path/to/ca-root.pem

But the smbpasswd program continued giving the error.

I tried creating /etc/smbldap-tools/smbldap.conf file with following content (after consulting debian docs for smbldap-tools package) But as I see, smbpasswd comes with samba-common package and does not use the configuration for smbldap-tools utilities.

verify="optional"
cafile="/path/to/ca-root.pem"

My question is: How can I set which SSL CA Certificate is used by smbpasswd program ?