Hello,
We've been using an ldap based PDC from quite a while. Now we're suddenly having trouble getting our main fileserver to talk with the PDC.
samba-3.2.13 on solaris 10.
Here is our smb.conf global defs:
Server role: ROLE_DOMAIN_MEMBER [global] workgroup = CNRDOM server string = nature (Samba %v) security = DOMAIN passdb backend = ldapsam:ldaps://169.229.xxx.yyy log level = 5 log file = /var/log/samba/log.%m name resolve order = wins host lmhosts os level = 65 local master = No domain master = No dns proxy = No wins support = Yes ldap ssl = start tls
When we start up samba, we see many lines like these in log.smbd:
[2009/08/03 15:40:40, 1] lib/smbldap.c:another_ldap_try(1170) Connection to LDAP server failed for the 4 try!
and these:
[2009/08/03 15:51:56, 0] lib/smbldap.c:smb_ldap_start_tls(595) Failed to issue the StartTLS instruction: Can't contact LDAP server [2009/08/03 15:51:56, 5] lib/smbldap.c:smbldap_search_ext(1199) smbldap_search_ext: base => [], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-22-1-97)(sambaSIDList=S-1-22-2-97)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], scope => [2] [2009/08/03 15:51:56, 5] lib/smbldap.c:smbldap_close(1103) The connection to the LDAP server was closed
But over on the PDC (gentoo linux 2.6.29, samba-3.2.13 , openldap-2.4.27) we see this in tcpdump: $ tcpdump -vv -c 4 port ldaps
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:51:29.736629 IP (tos 0x0, ttl 61, id 60609, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56299 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0x6a18 (correct), 1637042825:1637042825(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK> 15:51:29.736651 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56299: R, cksum 0x6c68 (correct), 0:0(0) ack 1637042826 win 0 15:51:30.746803 IP (tos 0x0, ttl 61, id 60610, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56302 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0xa6d9 (correct), 2235230749:2235230749(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK> 15:51:30.746827 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56302: R, cksum 0xa929 (correct), 0:0(0) ack 2235230750 win 0
It appears that there is indeed an ldaps conversation going on. We created new certificate on the PDC to see if certificate is the problem to no avail. Same message, and same problem. We disable firewall on the PDC as well and make sure that LDAP ports are all open. The Solaris 10 machine (ROLE_DOMAIN_MEMBER) and the PDC are on two different subnets.
We're hoping someone will recognize this behavior and reveal our mistake to us. Or perhaps point out where we should check/debug/RTFM next.
--On August 4, 2009 3:51:18 PM -0700 Ivan Ordonez iordonez@nature.berkeley.edu wrote:
Hello,
We've been using an ldap based PDC from quite a while. Now we're suddenly having trouble getting our main fileserver to talk with the PDC.
samba-3.2.13 on solaris 10.
Here is our smb.conf global defs:
Server role: ROLE_DOMAIN_MEMBER [global] workgroup = CNRDOM server string = nature (Samba %v) security = DOMAIN passdb backend = ldapsam:ldaps://169.229.xxx.yyy log level = 5 log file = /var/log/samba/log.%m name resolve order = wins host lmhosts os level = 65 local master = No domain master = No dns proxy = No wins support = Yes ldap ssl = start tls
ldaps:// and startTLS are mutually exclusive. Pick one and only one.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On August 4, 2009 3:51:18 PM -0700 Ivan Ordonez iordonez@nature.berkeley.edu wrote:
Hello,
We've been using an ldap based PDC from quite a while. Now we're suddenly having trouble getting our main fileserver to talk with the PDC.
samba-3.2.13 on solaris 10.
Here is our smb.conf global defs:
Server role: ROLE_DOMAIN_MEMBER [global] workgroup = CNRDOM server string = nature (Samba %v) security = DOMAIN passdb backend = ldapsam:ldaps://169.229.xxx.yyy log level = 5 log file = /var/log/samba/log.%m name resolve order = wins host lmhosts os level = 65 local master = No domain master = No dns proxy = No wins support = Yes ldap ssl = start tls
ldaps:// and startTLS are mutually exclusive. Pick one and only one.
We tried removing the "s" on ldaps:// and still no go.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
--On August 4, 2009 4:08:14 PM -0700 Ivan Ordonez iordonez@nature.berkeley.edu wrote:
ldaps:// and startTLS are mutually exclusive. Pick one and only one.
We tried removing the "s" on ldaps:// and still no go.
I probably would have tried just ldaps:// first and removed trying to do startTLS and seeing if that works.
But if neither works, I'd advise spending some time with ldapsearch and either ldaps:// uris or ldap:// uris with -ZZZ until you can see why your ldap server doesn't like it.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org