samba4: ldapsearch SSL/TLS problems
Marcel Ritter
Marcel.Ritter at rrze.uni-erlangen.de
Tue Jun 8 14:32:23 MDT 2010
On 06/08/2010 10:16 PM, Matthieu Patou wrote:
> Hi Marcel,
Hi Matthieu,
>
> Is your pb related to bug 7218
> (https://bugzilla.samba.org/show_bug.cgi?id=7218) ?
>
> I have the impression that it is.
That's quite possible - description sounds somewhat familiar.
>
> Matthieu.
Bye,
Marcel
>
> On 08/06/2010 23:54, Marcel Ritter wrote:
>> Hi,
>>
>> quite some time ago, I reported problems with SSL/TSL connections
>> in samba4 - with very few replies on the list. Now I decided to give it
>> one more try, and see if things have improved in the meantime.
>>
>> Unfortunately they haven't: SSL/TSL is still broken (at least on my
>> system: samba4 latest git, gnutls 2.4.1, ldapsearch/openldap 2.4.12,
>> openSUSE 11.1).
>>
>> Simple (unencrypted) ldapsearch works:
>> ldapsearch -x -D TEST\\Administrator -w pw -b dc=test,dc=org -H
>> ldap://192.168.1.6
>>
>> Simple (encrypted, TLS/SSL) ldapsearch doesn't:
>> ldapsearch -x -D TEST\\Administrator -w pw -b dc=test,dc=org -H
>> ldap://192.168.1.6 -Z
>>
>> < returns quite some entries (not all), but ends with:>
>> ldap_result: Can't contact LDAP server (-1)
>>
>> To find out where ldapsearch failed, I tried to redirect output to a
>> file (adding "> logfile")
>> to the above lines. Odd thing is: when redirected to a file I get the
>> whole output - no error.
>> (adding "| tee logfile" to the command line also makes things work ...).
>>
>> The only reason for this I can currently think of is some kind of timing
>> problem
>> (taking longer to write output to terminal and scroll it, than to write
>> it to a file?).
>>
>> Random connection errors also occur on large, encrypted ldap searches
>> when using Apache Directory Studio.
>>
>> Running samba in debug mode (samba -i -M single -d 9) reports
>> an error everytime the SSL connection fails:
>>
>> "TLS gnutls_bye failed - Error in the push function."
>>
>> Hope someone can confirm this, and maybe provide a fix for it.
>>
>> Bye,
>> Marcel
>>
>
>
More information about the samba-technical
mailing list