[Samba] Access remote ldap for classicupgrade
Robert Moskowitz
rgm at htt-consult.com
Fri Sep 18 20:19:14 UTC 2015
On 09/18/2015 03:25 PM, Rowland Penny wrote:
> On 18/09/15 19:50, Robert Moskowitz wrote:
>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>
>> passdb backend = ldapsam:ldaps://192.168.128.2
>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>> ldap group suffix = ou=Groups,ou=Accounts
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers,ou=Accounts
>> ldap passwd sync = No
>> ldap suffix = dc=home,dc=htt
>> ldap user suffix = ou=Users,ou=Accounts
>> ldap connection timeout = 8
>> ldap ssl = Off
>>
>> I ran:
>>
>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/
>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ
>> /root/samba.PDC/etc/smb.conf
>>
>> And it failed as folllows:
>>
>> Reading smb.conf
>> NOTE: Service printers is flagged unavailable.
>> NOTE: Service print$ is flagged unavailable.
>> Unknown parameter encountered: "force directory security mode"
>> Ignoring unknown parameter "force directory security mode"
>> Provisioning
>> failed to bind to server ldaps://192.168.128.2 with
>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact LDAP
>> server
>> TLS error -8172:Peer's certificate issuer has been marked as not
>> trusted by the user.
>> Connection to LDAP server failed for the 1 try!
>> Connection to LDAP server failed for the 2 try!
>> Connection to LDAP server failed for the 3 try!
>> Connection to LDAP server failed for the 4 try!
>> Connection to LDAP server failed for the 5 try!
>> Connection to LDAP server failed for the 6 try!
>> Connection to LDAP server failed for the 7 try!
>> Connection to LDAP server failed for the 8 try!
>> Connection to LDAP server failed for the 9 try!
>> Connection to LDAP server failed for the 10 try!
>> Connection to LDAP server failed for the 11 try!
>> Connection to LDAP server failed for the 12 try!
>> Connection to LDAP server failed for the 13 try!
>> Connection to LDAP server failed for the 14 try!
>> Connection to LDAP server failed for the 15 try!
>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
>> the domain. We cannot work reliably without it.
>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init
>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load
>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend
>> (-1073741606,Configuration information could not be read from the
>> domain controller, either because the machine is unavailable or
>> access has been denied.)
>> File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py",
>> line 1452, in run
>> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>> File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line 483,
>> in upgrade_from_samba3
>> s3db = samba3.get_sam_db()
>> File "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py",
>> line 394, in get_sam_db
>> return passdb.PDB(self.lp.get('passdb backend'))
>>
>>
>
> I wonder if you can turn off SSL on the old server, what do you have
> in /etc/ldap.conf (or /etc/ldap/ldap.conf or /etc/openldap/ldap.conf ) ?
On the server (but would it not be slapd.conf for the server?):
more /etc/openldap/ldap.conf
BASE dc=home,dc=htt
HOST 127.0.0.1
TIMELIMIT 30
SIZELIMIT 0
TLS_REQCERT allow
And on the AD (but I don't know what classicupgrade is using):
more /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
More information about the samba
mailing list