ldap PDC -- Failed to issue the StartTLS instruction
by Ivan Ordonez
Hello,
We've been using an ldap based PDC from quite a while. Now we're
suddenly having trouble getting our main fileserver to talk with the
PDC.
samba-3.2.13 on solaris 10.
Here is our smb.conf global defs:
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = CNRDOM
server string = nature (Samba %v)
security = DOMAIN
passdb backend = ldapsam:ldaps://169.229.xxx.yyy
log level = 5
log file = /var/log/samba/log.%m
name resolve order = wins host lmhosts
os level = 65
local master = No
domain master = No
dns proxy = No
wins support = Yes
ldap ssl = start tls
When we start up samba, we see many lines like these in log.smbd:
[2009/08/03 15:40:40, 1] lib/smbldap.c:another_ldap_try(1170)
Connection to LDAP server failed for the 4 try!
and these:
[2009/08/03 15:51:56, 0] lib/smbldap.c:smb_ldap_start_tls(595)
Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/08/03 15:51:56, 5] lib/smbldap.c:smbldap_search_ext(1199)
smbldap_search_ext: base => [], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-22-1-97)(sambaSIDList=S-1-22-2-97)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], scope => [2]
[2009/08/03 15:51:56, 5] lib/smbldap.c:smbldap_close(1103)
The connection to the LDAP server was closed
But over on the PDC (gentoo linux 2.6.29, samba-3.2.13 , openldap-2.4.27)
we see this in tcpdump:
$ tcpdump -vv -c 4 port ldaps
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:51:29.736629 IP (tos 0x0, ttl 61, id 60609, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56299 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0x6a18 (correct), 1637042825:1637042825(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK>
15:51:29.736651 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56299: R, cksum 0x6c68 (correct), 0:0(0) ack 1637042826 win 0
15:51:30.746803 IP (tos 0x0, ttl 61, id 60610, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56302 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0xa6d9 (correct), 2235230749:2235230749(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK>
15:51:30.746827 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56302: R, cksum 0xa929 (correct), 0:0(0) ack 2235230750 win 0
It appears that there is indeed an ldaps conversation going on. We created new certificate on the PDC to see if certificate is the problem to no avail. Same message, and same problem. We disable firewall on the PDC as well and make sure that LDAP ports are all open. The Solaris 10 machine (ROLE_DOMAIN_MEMBER) and the PDC are on two different subnets.
We're hoping someone will recognize this behavior and reveal our mistake to us.
Or perhaps point out where we should check/debug/RTFM next.
14 years, 3 months
olcDbConfig: value #14 provided more than once
by Matthew Edlefsen
Hello, I'm trying to do multi-master replication and after following
the directions in the User Guide I came across the error:
Aug 3 20:21:38 gabbro slapd[81578]: syncrepl_message_to_entry:
rid=001 mods check (olcDbConfig: value #14 provided more than once)
This is from the logs when it is syncing the cn=config tree. The
especially odd thing about this error is that olcDbConfig is one of
the numbered entries (the ones with {#} prepending each value), not to
mention that the line is question is blank. This isn't the first
time I've encountered this error when trying to do this type of thing
(alas, I never got around to trying to fix it before :) ), so I'm
hoping that means either I'm doing something obviously wrong or
somebody has seen this before.
Both servers are freebsd jails running FreeBSD 7.2 Stable.
Here are some of the relevant configs. These are not the full entries,
just the important bits. They are identical on both servers and they
do sync parts of the config (everything up to the value that fails).
dn: cn=config
olcServerID: 1 ldap://rock.earlham.edu/
olcServerID: 2 ldap://gabbro.earlham.edu/
dn: olcDatabase={0}config,cn=config
olcSyncrepl: {0}rid=001 provider=dap://rock.earlham.edu/
binddn="<snip>" bindmethod=simple credentials=<snip>
searchbase="cn=config" type=refreshAndPersist retry="5 5 300
5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldap://gabbro.earlham.edu/
binddn="<snip>" bindmethod=simple credentials=<snip>
searchbase="cn=config" type=refreshAndPersist retry="5 5 300
5" timeout=1
olcMirrorMode: TRUE
olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcDatabase={1}bdb,cn=config
olcDbConfig: {0}# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v
1.3.2.4 2007/12/18 11:53:27 ghenry Exp $
olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB
databases.
olcDbConfig: {2}#
olcDbConfig: {3}# See the Oracle Berkeley DB documentation
olcDbConfig: {4}#
<http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_...>
olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics.
olcDbConfig: {6}#
olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ
olcDbConfig: {8}# <http://www.openldap.org/faq/index.cgi?file=2>
olcDbConfig: {9}# in particular:
olcDbConfig: {10}# <http://www.openldap.org/faq/index.cgi?file=1075>
olcDbConfig: {11}
olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only
upon rebuilding
olcDbConfig: {13}# the DB environment.
olcDbConfig: {14}
olcDbConfig: {15}# one 1 GB cache
olcDbConfig: {16}set_cachesize 0 1073741824 1
olcDbConfig: {17}
olcDbConfig: {18}# Data Directory
olcDbConfig: {19}#set_data_dir db
olcDbConfig: {20}
olcDbConfig: {21}# Transaction Log settings
olcDbConfig: {22}set_lg_regionmax 262144
olcDbConfig: {23}set_lg_bsize 104857600
olcDbConfig: {24}set_lk_max_locks 100000
olcDbConfig: {25}#set_lg_dir logs
olcDbConfig: {26}
olcDbConfig: {27}# Note: special DB_CONFIG flags are no longer needed
for "quick"
olcDbConfig: {28}# slapadd(8) or slapindex(8) access (see their -q option).
Thanks!
Matt Edlefsen
Earlham College
14 years, 3 months
slapd + TLS + SAMBA
by Alessandro Baggi
Hi there. I've another problem with TLS slapd and samba.
For each operation with slapd (ldapsearch -x -ZZ, getent, or samba tls
connection) I receive from slapd:
Aug 2 11:31:05 PDC slapd[1709]: connection_read(23): unable to get TLS
client DN, error=49 id=4
What's the problem? My certificate?
Certificate's creation is:
/usr/lib/ssl/misc/CA.pl -newca
openssl req -newkey rsa:1024 -nodes -keyout key.pem -out newreq.pem
/usr/lib/ssl/misc/CA.pl -sign
Then another problem is when I start slapd on the boot, after slapd
startup, samba , that try to connect to ldap with tls, could not connect
to slapd and give me:
2009/08/01 17:45:15, 10]
lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26)
[LDAP] ldap_parse_extended_result
[2009/08/01 17:45:15, 10]
lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26)
[LDAP] ldap_parse_result
[2009/08/01 17:45:15, 10]
lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26)
[LDAP] ldap_msgfree
[2009/08/01 17:45:15, 10]
lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26)
[LDAP] TLS: can't connect: Error in the push function..
[2009/08/01 17:45:15, 0] lib/smbldap.c:smb_ldap_start_tls(596)
[2009/08/01 17:45:15, 10]
lib/ldap_debug_handler.c:samba_ldap_log_print_fn(26)
[LDAP] ldap_err2string
Failed to issue the StartTLS instruction: Connect error
This only if I put in slapd.conf TLSClientVerify demand, if I put
TLSClientVerify never, samba connect to it, under TLS without problems.
Another issue is that, if i run slapd on startup and run samba after
login with /etc/init.d/samba start, it makes the connection successfully
without error. In the same script of slapd boot I set an "ldapsearch -x
-ZZ -d -1" I receive:
TLS: can't connect: Error in the push function.. the same of samba.
Anyone has ideas? The problem is in certificates?
thanks in advance
14 years, 4 months