Strange behavior with ldapsam.

Andrew Bartlett abartlet at samba.org
Mon Nov 18 09:34:00 GMT 2002 

On Mon, 2002-11-18 at 20:15, Ignacio Coupeau wrote:
> Luciano Di Lucrezia wrote:
> > Hello everybody,
> > 
> > after some not-so-successful searching on the mailing list archives, I
> > joined this mailing list to report a strange behavior of Samba's I have
> > found using the LDAP SAM backend, which hopefully may be of some
> > interest to the developers.
> > 
> > I'm using the LDAP backend mainly to have a single source of
> > authentication data for Unix and Windows on a server which may someday
> > grow to a cluster of servers. I've been experimenting with the two
> > versions of Samba available in Debian GNU/Linux (2.2.3 in the "stable"
> > branch and 2.999-3.0alpha in the "unstable" branch) 
> 
> is better make the tests with the 2.2.6 stable version...
> 
> and both work fine
> > even using LDAP over SSL (provided that the client connects to the
> > server using only the hostname specified in the server's certificate,
> > which has cost me more than 3 weeks of headaches), but there seems to be
> > a problem arising when the Samba server and the LDAP server (which in my
> > case is OpenLDAP 2.0.23) are not on the same machine.
> 
> it must work fine in different servers... always the startTLS need start 
> with the server's FQDN or fails, you can use alias but is a bit OT (is 
> documented in the OpenLdap list).
> 
> > The point is that a lot of connections are made to the LDAP server
> > (which may be ok), but some of them are done using the parameters
> > contained in smb.conf (which IS ok), and some others look like they are
> > made using "hardwired" defaults: namely, host localhost and port 389.
> > Actually, if I use a ssh tunnel to forward port 389 locally on the
> > "slave" Samba server, authentication works just fine. Otherwise,
> > smbclient fails and reports a NT_STATUS_LOGON_FAILURE.
> > 
> 
> when run the configure --with-ldapsam, brows the output for "start_tls 
> yes"... if not, the libraries/includes are misplaced.

Just as a note here - in Samba 3.0, configuring --with-ldapsam does not
change the use of ldap.  Instead, we detect it based on headers etc, and
build it as an optional module.  

However, we changed the parameters around a bit - see 'passdb backend'
in smb.conf(5).  I re-added the --with-ldapsam option to configure, and
now it controls a 'backwards compatibility mode', where we should
operate with Samba 2.2 compatible settings.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021118/ee642909/attachment.bin

More information about the samba-technical mailing list