[Samba] Issues with classicupgrade LDAP

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 12 01:52:01 MDT 2014 

On 12/06/14 02:50, Benjamin Arntzen wrote:
> Using this as the options:
>
> passdb backend = ldapsam:ldaps://204.174.42.81
> ldap ssl = start tls
>
> results in this:
> Attempting to find a passdb backend to match 
> ldapsam:ldaps://204.174.42.81 (ldapsam)
> Found pdb backend ldapsam
> smbldap_search_domain_info: Searching 
> for:[(&(objectClass=sambaDomain)(sambaDomainName=DIGIPEN.EDU))]
> Failed to issue the StartTLS instruction: Operations error
> Connection to LDAP server failed for the 1 try!
>
>
> On 06/11/2014 06:29 PM, Andrew Bartlett wrote:
>> On Wed, 2014-06-11 at 16:52 -0700, Benjamin Arntzen wrote:
>>> Hi there,
>>>
>>> I'm attempting a classicupgrade from Samba3 to Samba4 with an LDAP
>>> backend and encountering this error:
>>> dpadmin at samba4-dev0:~$ samba-tool domain classicupgrade
>>> --dbdir=/var/lib/samba --use-xattrs=yes --realm=ad.digipen.edu
>>> /home/dpadmin/smb.conf 2>&1 | tee SambaMigration10.log
>>>
>>> <snip>
>>> init_sam_from_ldap: Entry found for user: steven.redacted
>>> init_sam_from_ldap: Entry found for user: lauro.redacted
>>> init_sam_from_ldap: Entry found for user: michael.redacted
>>> init_sam_from_ldap: Entry found for user: s.redacted
>>> Next rid = 132072
>>> Failed to bind - LDAP error 13 LDAP_CONFIDENTIALITY_REQUIRED - <TLS
>>> confidentiality required> <>
>>> Failed to connect to 'ldap://204.174.42.81' with backend 'ldap': (null)
>>> ERROR(<type 'exceptions.NameError'>): uncaught exception - global name
>>> 'ProvisiongError' is not defined
>>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>>       return self.run(*args, **kwargs)
>>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
>>> line
>>> 1318, in run
>>>       useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>     File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 801,
>>> in upgrade_from_samba3
>>>       raise ProvisiongError("Could not open ldb connection to %s, the
>>> error message is: %s" % (url, e))
>>>
>>> I have this in my config files:
>>> # Password Database
>>> #---------------------
>>> # passdb backend = ldapsam:ldap://localhost
>>> # passdb backend = ldapsam:ldap://ldap.digipen.edu
>>> ldap://ldap-primary.digipen.edu
>>> passdb backend = ldapsam:ldap://204.174.42.81
>>> ldap admin dn = uid=redacted,ou=system,dc=digipen,dc=edu
>>> ldap ssl = start tls
>>> ldap passwd sync = yes
>>> ldap delete dn = no
>>> ldap suffix = dc=digipen,dc=edu
>>> ldap user suffix = ou=people
>>> ldap group suffix = ou=groups
>>> ldap machine suffix = ou=computers
>>> ldapsam:trusted = yes
>>>
>>> The rest of the migration (including a lot of init_sam_from_ldap) works
>>> fine, and back on 4.0-beta it did *not* produce this issue.
>>> Unfortunately I can't go back to that version.
>>>
>>> Help wanted :(
>> The issue is that the second connection to LDAP we may from the python
>> code does not know how to use the "ldap ssl = start tls" parameter.  Can
>> you use ldaps://?
>>
>> Andrew Bartlett
>>
>
Hi, if you read the smb.conf manpage, you will find this, under ldap ssl 
(G):

LDAP connections should be secured where possible. This may be done
setting either this parameter to Start_tls or by specifying
ldaps:// in the URL argument of passdb backend.

So, by my reading, you can use either of the settings but not both, try 
changing 'ldap ssl = start tls' to 'ldap ssl = off'

Rowland

More information about the samba mailing list