Bug#411042: [Pkg-samba-maint] Bug#411042: samba -dosen't connect to OpenLDAP

Mgr. Peter Tuharsky tuharsky at misbb.sk
Mon Feb 19 14:58:17 CET 2007 

Steve Langasek  wrote / napísal(a):
> On Mon, Feb 19, 2007 at 07:31:25AM +0100, Mgr. Peter Tuharsky wrote:
>> Steve Langasek  wrote / napísal(a):
>>> On Thu, Feb 15, 2007 at 01:36:51PM +0100, Mgr. Peter Tuharsky wrote:
>>>> We've had a working Samba/LDAP domain based on Sarge. Now we're trying 
>>>> to move to Etch. We recycled old configs, or modified the new ones to be 
>>>> equal.
> 
>>>> Now, when I start Samba, it seems it cannot connect the LDAP server. 
>>>> I've got these errors in log:
> 
>>>> lib/smbldap.c:smb_ldap_start_tls(612)
>>>>  Failed to issue the StartTLS instruction: Connect error
>>>> lib/smbldap.c:another_ldap_try(1150)
>>>>  Connection to LDAP server failed for the 1 try!
> 
>>>> Soon, the smbd exits.
> 
>>> Could you please post your smb.conf?
> 
>> Of course. Here You are.
> 
> Ok, nothing seems out of the ordinary here, that's too bad -- no easy answer
> here.


The odd thing ("no easy answers TM") is, that despite of the errors in 
log, the Samba domain WORKS for a little while. Machines and users log 
on, as if nothing happened. Users get authenticated, network shares are 
connected. After several tens of seconds (minute or so) smbd dies and 
domain dies with it.

The second odd thing is, that the very LDAP works well too. We can 
authenticate against LDAP server from SMTP, IMAP and eGroupWare, and 
local machine user's logon using PAM-LDAP. Just when we run Samba on the 
server to allow Windows domain logons, the Samba acts as described above..


> 
>>     passdb backend = ldapsam:"ldap://vedko6.misbb.sk:389"
> 
> Are the quotes necessary here?  I'm not sure that removing them would make
> any difference.
> 


We'll try to remove the quotes, however it works with them in Sarge well.

>> # 070215: Povodne bolo:
>> #    ldap ssl = start_tls
>> # Lenze vraj Samba 3.x nepodporuje LDAP over SSL, iba ldap_start_tls
>> # takze to vraj ma byt bez podtrhovnika start tls:
>> # a niektori dokonca uvadzaju ldap ssl = off
> 
>>     ldap ssl = start tls
> 
> Well, that seems it really ought to be sufficient, yes.
> 
> How do you have libldap configured to verify the SSL certificates?  If you
> try to connect to the server with ldapsearch, do you get the same error?
> 


Please, specify, what kind of info do You need here. I don't understand 
that.


Tomorow, we will try to remove the TLS, since the LDAP and Samba domain 
are running on the same machine. As TLS encrypts just the communication 
between them (hopefully, AFAIK???), it seems it is not needed there 
(???). This is just a workaround however, and not everybody can afford it.


Sincerely
Peter

More information about the Pkg-samba-maint mailing list