[Samba] Re: Samba-LDAP TLS problems with inofficial Debian OpenLDAP 2.2 packages

Torsten Landschoff torsten at debian.org
Wed Mar 23 12:05:54 GMT 2005 

Hi Paul, 

On Wed, Mar 23, 2005 at 11:30:35AM +0100, Paul Coray wrote:
> Three days ago I switched our domain from a NT 4 domaincontroller to 
> Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the 
> following inofficial Debian OpenLDAP 2.2 packages (I know these are not 
> supported, but TLS with OpenSSL is essential to us...):
> 
> Package: slapd
> Version: 2.2.20-1.hrz.1
> 
> Package: libldap2.2
> Version: 2.2.20-1.hrz.1
> 
> Package: ldap-utils
> Version: 2.2.20-1.hrz.1

Where are those available? I did not know about that fork and perhaps I
can share some work with the maintainer.

> As soon as the LDAP-replication is active, my windows users are 
> experiencing problems logging on to the domain, often they only manage 
> to log in with locally cached credentials/profiles. I suspect there are 
> problems with TLS, as I see a lot of messages like this in the Samba 
> machine logs:
> 
> 
> [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(36)
>   ===============================================================
> [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(37)
>   INTERNAL ERROR: Signal 6 in pid 15289 (3.0.10-Debian)
>   Please read the appendix Bugs of the Samba HOWTO collection
> [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(39)
>   ===============================================================
> [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1482)
>   PANIC: internal error
> [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1490)
>   BACKTRACE: 34 stack frames:
>    #0 /usr/sbin/smbd(smb_panic2+0x111) [0x81e05e1]
>    #1 /usr/sbin/smbd(smb_panic+0x1a) [0x81e04ca]
>    #2 /usr/sbin/smbd [0x81cc8e8]
>    #3 [0xffffe420]
>    #4 /lib/tls/libc.so.6(abort+0x1d2) [0x401b5f12]
>    #5 /lib/tls/libc.so.6(__assert_fail+0x10f) [0x401ae26f]
>    #6 /usr/lib/libldap.so.2 [0x4002b12d]
>    #7 /usr/lib/libldap.so.2(ldap_int_open_connection+0x11e) [0x400257ee]
>    #8 /usr/lib/libldap.so.2(ldap_new_connection+0x89) [0x400374c9]
>    #9 /usr/lib/libldap.so.2(ldap_open_defconn+0x41) [0x400252a1]
>    #10 /usr/lib/libldap.so.2(ldap_send_initial_request+0x8f) [0x4003703f]
>    #11 /usr/lib/libldap.so.2(ldap_sasl_bind+0x177) [0x4002d387]
>    #12 /usr/lib/libldap.so.2(ldap_simple_bind+0x80) [0x4002dd80]
>    #13 /lib/libnss_ldap.so.2 [0x409ad423]
>    #14 /lib/libnss_ldap.so.2 [0x409acefc]
>    #15 /lib/libnss_ldap.so.2 [0x409ae24a]
>    #16 /lib/libnss_ldap.so.2 [0x409ae81b]
>    #17 /lib/libnss_ldap.so.2(_nss_ldap_getpwnam_r+0x69) [0x409af9e9]
>    #18 /lib/tls/libc.so.6(getpwnam_r+0xfc) [0x4023475c]
>    #19 /lib/tls/libc.so.6(getpwnam+0x91) [0x40234081]
>    #20 /usr/sbin/smbd(getpwnam_alloc+0x11) [0x81d3d21]
>    #21 /usr/sbin/smbd(make_server_info_sam+0x59) [0x821e779]
>    #22 /usr/sbin/smbd(make_server_info_guest+0xbb) [0x821eaab]
>    #23 /usr/sbin/smbd [0x821c882]
>    #24 /usr/sbin/smbd [0x821705f]
>    #25 /usr/sbin/smbd [0x80ad98e]
>    #26 /usr/sbin/smbd(reply_sesssetup_and_X+0x788) [0x80af5b8]
>    #27 /usr/sbin/smbd [0x80d3306]
>    #28 /usr/sbin/smbd [0x80d3590]
>    #29 /usr/sbin/smbd(process_smb+0x8c) [0x80d379c]
>    #30 /usr/sbin/smbd(smbd_process+0x168) [0x80d44d8]
>    #31 /usr/sbin/smbd(main+0x4ea) [0x82579ba]
>    #32 /lib/tls/libc.so.6(__libc_start_main+0xf4) [0x401a1904]
>    #33 /usr/sbin/smbd [0x8078b41]
> smbd: 
> /home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/libraries/libldap/cyrus.c:468: 
> ldap_int_sasl_open: Assertio
> n `lc->lconn_sasl_ctx == ((void *)0)' failed.

This is a known bug in the Debian packages. Have a look at

	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273620

If you can reproduce it we might be able to track it down finally.

> Is samba using the 'original' OpenLDAP 2.1.30 TLS libraries, even if I 
> have the ldap libraries linked to 2.2?

Yes. It will use the 2.1.30 libraries as they are incompatible with
2.2.x

> And, why does this go away as soon as I stop slurpd on the master and 
> slapd on the slave?

No idea.

> This is critical to us, as this is the first major step migrating ~200 
> users away from NT-desktops to Linux thin clients, and I don't want to 
> give them something to argue against OSS...

My guess how to fix this: Get the openldap2 sources from the Debian
package and build it against OpenSSL. I can make packages available if
you can't build them. 

You should change debian/changelog so that apt can differentiate between
the official and your packages and debian/configure.options so it uses
OpenSSL. Ah, and remove gnutls from Build-Depends in debian/control and
add libssl-dev. Make sure no gnutls dev package is installed as the
configure script had a bug to use it even if you'd rather use OpenSSL. 

Thanks

	Torsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba/attachments/20050323/90bb0270/attachment.bin

More information about the samba mailing list