[Samba] Issues with classicupgrade LDAP

Andrew Bartlett abartlet at samba.org
Wed Jun 11 19:29:28 MDT 2014 

On Wed, 2014-06-11 at 16:52 -0700, Benjamin Arntzen wrote:
> Hi there,
> 
> I'm attempting a classicupgrade from Samba3 to Samba4 with an LDAP 
> backend and encountering this error:
> dpadmin at samba4-dev0:~$ samba-tool domain classicupgrade 
> --dbdir=/var/lib/samba --use-xattrs=yes  --realm=ad.digipen.edu 
> /home/dpadmin/smb.conf 2>&1 | tee SambaMigration10.log
> 
> <snip>
> init_sam_from_ldap: Entry found for user: steven.redacted
> init_sam_from_ldap: Entry found for user: lauro.redacted
> init_sam_from_ldap: Entry found for user: michael.redacted
> init_sam_from_ldap: Entry found for user: s.redacted
> Next rid = 132072
> Failed to bind - LDAP error 13 LDAP_CONFIDENTIALITY_REQUIRED - <TLS 
> confidentiality required> <>
> Failed to connect to 'ldap://204.174.42.81' with backend 'ldap': (null)
> ERROR(<type 'exceptions.NameError'>): uncaught exception - global name 
> 'ProvisiongError' is not defined
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 
> 1318, in run
>      useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>    File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 801, 
> in upgrade_from_samba3
>      raise ProvisiongError("Could not open ldb connection to %s, the 
> error message is: %s" % (url, e))
> 
> I have this in my config files:
> # Password Database
> #---------------------
> # passdb backend = ldapsam:ldap://localhost
> # passdb backend = ldapsam:ldap://ldap.digipen.edu 
> ldap://ldap-primary.digipen.edu
> passdb backend = ldapsam:ldap://204.174.42.81
> ldap admin dn = uid=redacted,ou=system,dc=digipen,dc=edu
> ldap ssl = start tls
> ldap passwd sync = yes
> ldap delete dn = no
> ldap suffix = dc=digipen,dc=edu
> ldap user suffix = ou=people
> ldap group suffix = ou=groups
> ldap machine suffix = ou=computers
> ldapsam:trusted = yes
> 
> The rest of the migration (including a lot of init_sam_from_ldap) works 
> fine, and back on 4.0-beta it did *not* produce this issue. 
> Unfortunately I can't go back to that version.
> 
> Help wanted :(

The issue is that the second connection to LDAP we may from the python
code does not know how to use the "ldap ssl = start tls" parameter.  Can
you use ldaps://?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list