[Samba] Re: Samba-LDAP TLS problems with inofficial Debian OpenLDAP
2.2 packages
Torsten Landschoff
torsten at debian.org
Wed Mar 23 12:05:54 GMT 2005
Hi Paul,
On Wed, Mar 23, 2005 at 11:30:35AM +0100, Paul Coray wrote:
> Three days ago I switched our domain from a NT 4 domaincontroller to
> Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the
> following inofficial Debian OpenLDAP 2.2 packages (I know these are not
> supported, but TLS with OpenSSL is essential to us...):
>
> Package: slapd
> Version: 2.2.20-1.hrz.1
>
> Package: libldap2.2
> Version: 2.2.20-1.hrz.1
>
> Package: ldap-utils
> Version: 2.2.20-1.hrz.1
Where are those available? I did not know about that fork and perhaps I
can share some work with the maintainer.
> As soon as the LDAP-replication is active, my windows users are
> experiencing problems logging on to the domain, often they only manage
> to log in with locally cached credentials/profiles. I suspect there are
> problems with TLS, as I see a lot of messages like this in the Samba
> machine logs:
>
>
> [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(36)
> ===============================================================
> [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(37)
> INTERNAL ERROR: Signal 6 in pid 15289 (3.0.10-Debian)
> Please read the appendix Bugs of the Samba HOWTO collection
> [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(39)
> ===============================================================
> [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1482)
> PANIC: internal error
> [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1490)
> BACKTRACE: 34 stack frames:
> #0 /usr/sbin/smbd(smb_panic2+0x111) [0x81e05e1]
> #1 /usr/sbin/smbd(smb_panic+0x1a) [0x81e04ca]
> #2 /usr/sbin/smbd [0x81cc8e8]
> #3 [0xffffe420]
> #4 /lib/tls/libc.so.6(abort+0x1d2) [0x401b5f12]
> #5 /lib/tls/libc.so.6(__assert_fail+0x10f) [0x401ae26f]
> #6 /usr/lib/libldap.so.2 [0x4002b12d]
> #7 /usr/lib/libldap.so.2(ldap_int_open_connection+0x11e) [0x400257ee]
> #8 /usr/lib/libldap.so.2(ldap_new_connection+0x89) [0x400374c9]
> #9 /usr/lib/libldap.so.2(ldap_open_defconn+0x41) [0x400252a1]
> #10 /usr/lib/libldap.so.2(ldap_send_initial_request+0x8f) [0x4003703f]
> #11 /usr/lib/libldap.so.2(ldap_sasl_bind+0x177) [0x4002d387]
> #12 /usr/lib/libldap.so.2(ldap_simple_bind+0x80) [0x4002dd80]
> #13 /lib/libnss_ldap.so.2 [0x409ad423]
> #14 /lib/libnss_ldap.so.2 [0x409acefc]
> #15 /lib/libnss_ldap.so.2 [0x409ae24a]
> #16 /lib/libnss_ldap.so.2 [0x409ae81b]
> #17 /lib/libnss_ldap.so.2(_nss_ldap_getpwnam_r+0x69) [0x409af9e9]
> #18 /lib/tls/libc.so.6(getpwnam_r+0xfc) [0x4023475c]
> #19 /lib/tls/libc.so.6(getpwnam+0x91) [0x40234081]
> #20 /usr/sbin/smbd(getpwnam_alloc+0x11) [0x81d3d21]
> #21 /usr/sbin/smbd(make_server_info_sam+0x59) [0x821e779]
> #22 /usr/sbin/smbd(make_server_info_guest+0xbb) [0x821eaab]
> #23 /usr/sbin/smbd [0x821c882]
> #24 /usr/sbin/smbd [0x821705f]
> #25 /usr/sbin/smbd [0x80ad98e]
> #26 /usr/sbin/smbd(reply_sesssetup_and_X+0x788) [0x80af5b8]
> #27 /usr/sbin/smbd [0x80d3306]
> #28 /usr/sbin/smbd [0x80d3590]
> #29 /usr/sbin/smbd(process_smb+0x8c) [0x80d379c]
> #30 /usr/sbin/smbd(smbd_process+0x168) [0x80d44d8]
> #31 /usr/sbin/smbd(main+0x4ea) [0x82579ba]
> #32 /lib/tls/libc.so.6(__libc_start_main+0xf4) [0x401a1904]
> #33 /usr/sbin/smbd [0x8078b41]
> smbd:
> /home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/libraries/libldap/cyrus.c:468:
> ldap_int_sasl_open: Assertio
> n `lc->lconn_sasl_ctx == ((void *)0)' failed.
This is a known bug in the Debian packages. Have a look at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273620
If you can reproduce it we might be able to track it down finally.
> Is samba using the 'original' OpenLDAP 2.1.30 TLS libraries, even if I
> have the ldap libraries linked to 2.2?
Yes. It will use the 2.1.30 libraries as they are incompatible with
2.2.x
> And, why does this go away as soon as I stop slurpd on the master and
> slapd on the slave?
No idea.
> This is critical to us, as this is the first major step migrating ~200
> users away from NT-desktops to Linux thin clients, and I don't want to
> give them something to argue against OSS...
My guess how to fix this: Get the openldap2 sources from the Debian
package and build it against OpenSSL. I can make packages available if
you can't build them.
You should change debian/changelog so that apt can differentiate between
the official and your packages and debian/configure.options so it uses
OpenSSL. Ah, and remove gnutls from Build-Depends in debian/control and
add libssl-dev. Make sure no gnutls dev package is installed as the
configure script had a bug to use it even if you'd rather use OpenSSL.
Thanks
Torsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba/attachments/20050323/90bb0270/attachment.bin
More information about the samba
mailing list