[Samba] Issues with classicupgrade LDAP

Benjamin Arntzen barntzen at digipen.edu
Thu Jun 12 13:35:56 MDT 2014 

That appears to be the fix, thank you!

Unfortunately it's not all good news, though. Where previously it would 
crash and die, it now does this:

init_sam_from_ldap: Entry found for user: tiamo.redacted
init_sam_from_ldap: Entry found for user: erica.redacted
init_sam_from_ldap: Entry found for user: m.redacted
init_sam_from_ldap: Entry found for user: ella.redacted
Next rid = 132072
dpadmin at samba4-dev0:~$

It just drops me back to a prompt without completing the rest of 
classicupgrade.

~ Benjamin

On 06/12/2014 12:52 AM, Rowland Penny wrote:
> On 12/06/14 02:50, Benjamin Arntzen wrote:
>> Using this as the options:
>>
>> passdb backend = ldapsam:ldaps://204.174.42.81
>> ldap ssl = start tls
>>
>> results in this:
>> Attempting to find a passdb backend to match 
>> ldapsam:ldaps://204.174.42.81 (ldapsam)
>> Found pdb backend ldapsam
>> smbldap_search_domain_info: Searching 
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=DIGIPEN.EDU))]
>> Failed to issue the StartTLS instruction: Operations error
>> Connection to LDAP server failed for the 1 try!
>>
>>
>> On 06/11/2014 06:29 PM, Andrew Bartlett wrote:
>>> On Wed, 2014-06-11 at 16:52 -0700, Benjamin Arntzen wrote:
>>>> Hi there,
>>>>
>>>> I'm attempting a classicupgrade from Samba3 to Samba4 with an LDAP
>>>> backend and encountering this error:
>>>> dpadmin at samba4-dev0:~$ samba-tool domain classicupgrade
>>>> --dbdir=/var/lib/samba --use-xattrs=yes --realm=ad.digipen.edu
>>>> /home/dpadmin/smb.conf 2>&1 | tee SambaMigration10.log
>>>>
>>>> <snip>
>>>> init_sam_from_ldap: Entry found for user: steven.redacted
>>>> init_sam_from_ldap: Entry found for user: lauro.redacted
>>>> init_sam_from_ldap: Entry found for user: michael.redacted
>>>> init_sam_from_ldap: Entry found for user: s.redacted
>>>> Next rid = 132072
>>>> Failed to bind - LDAP error 13 LDAP_CONFIDENTIALITY_REQUIRED - <TLS
>>>> confidentiality required> <>
>>>> Failed to connect to 'ldap://204.174.42.81' with backend 'ldap': 
>>>> (null)
>>>> ERROR(<type 'exceptions.NameError'>): uncaught exception - global name
>>>> 'ProvisiongError' is not defined
>>>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>>       return self.run(*args, **kwargs)
>>>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
>>>> line
>>>> 1318, in run
>>>>       useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>>     File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 
>>>> 801,
>>>> in upgrade_from_samba3
>>>>       raise ProvisiongError("Could not open ldb connection to %s, the
>>>> error message is: %s" % (url, e))
>>>>
>>>> I have this in my config files:
>>>> # Password Database
>>>> #---------------------
>>>> # passdb backend = ldapsam:ldap://localhost
>>>> # passdb backend = ldapsam:ldap://ldap.digipen.edu
>>>> ldap://ldap-primary.digipen.edu
>>>> passdb backend = ldapsam:ldap://204.174.42.81
>>>> ldap admin dn = uid=redacted,ou=system,dc=digipen,dc=edu
>>>> ldap ssl = start tls
>>>> ldap passwd sync = yes
>>>> ldap delete dn = no
>>>> ldap suffix = dc=digipen,dc=edu
>>>> ldap user suffix = ou=people
>>>> ldap group suffix = ou=groups
>>>> ldap machine suffix = ou=computers
>>>> ldapsam:trusted = yes
>>>>
>>>> The rest of the migration (including a lot of init_sam_from_ldap) 
>>>> works
>>>> fine, and back on 4.0-beta it did *not* produce this issue.
>>>> Unfortunately I can't go back to that version.
>>>>
>>>> Help wanted :(
>>> The issue is that the second connection to LDAP we may from the python
>>> code does not know how to use the "ldap ssl = start tls" parameter.  
>>> Can
>>> you use ldaps://?
>>>
>>> Andrew Bartlett
>>>
>>
> Hi, if you read the smb.conf manpage, you will find this, under ldap 
> ssl (G):
>
> LDAP connections should be secured where possible. This may be done
> setting either this parameter to Start_tls or by specifying
> ldaps:// in the URL argument of passdb backend.
>
> So, by my reading, you can use either of the settings but not both, 
> try changing 'ldap ssl = start tls' to 'ldap ssl = off'
>
> Rowland

More information about the samba mailing list