[Samba] Access remote ldap for classicupgrade

Rowland Penny rowlandpenny241155 at gmail.com
Fri Sep 18 20:30:16 UTC 2015


On 18/09/15 21:19, Robert Moskowitz wrote:
>
>
> On 09/18/2015 03:25 PM, Rowland Penny wrote:
>> On 18/09/15 19:50, Robert Moskowitz wrote:
>>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>>
>>> passdb backend = ldapsam:ldaps://192.168.128.2
>>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>>> ldap group suffix = ou=Groups,ou=Accounts
>>> ldap idmap suffix = ou=Idmap
>>> ldap machine suffix = ou=Computers,ou=Accounts
>>> ldap passwd sync = No
>>> ldap suffix = dc=home,dc=htt
>>> ldap user suffix = ou=Users,ou=Accounts
>>> ldap connection timeout = 8
>>> ldap ssl = Off
>>>
>>> I ran:
>>>
>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>> /root/samba.PDC/etc/smb.conf
>>>
>>> And it failed as folllows:
>>>
>>> Reading smb.conf
>>> NOTE: Service printers is flagged unavailable.
>>> NOTE: Service print$ is flagged unavailable.
>>> Unknown parameter encountered: "force directory security mode"
>>> Ignoring unknown parameter "force directory security mode"
>>> Provisioning
>>> failed to bind to server ldaps://192.168.128.2 with 
>>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact LDAP 
>>> server
>>>     TLS error -8172:Peer's certificate issuer has been marked as not 
>>> trusted by the user.
>>> Connection to LDAP server failed for the 1 try!
>>> Connection to LDAP server failed for the 2 try!
>>> Connection to LDAP server failed for the 3 try!
>>> Connection to LDAP server failed for the 4 try!
>>> Connection to LDAP server failed for the 5 try!
>>> Connection to LDAP server failed for the 6 try!
>>> Connection to LDAP server failed for the 7 try!
>>> Connection to LDAP server failed for the 8 try!
>>> Connection to LDAP server failed for the 9 try!
>>> Connection to LDAP server failed for the 10 try!
>>> Connection to LDAP server failed for the 11 try!
>>> Connection to LDAP server failed for the 12 try!
>>> Connection to LDAP server failed for the 13 try!
>>> Connection to LDAP server failed for the 14 try!
>>> Connection to LDAP server failed for the 15 try!
>>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to 
>>> the domain. We cannot work reliably without it.
>>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init 
>>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load 
>>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend 
>>> (-1073741606,Configuration information could not be read from the 
>>> domain controller, either because the machine is unavailable or 
>>> access has been denied.)
>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>> line 175, in _run
>>>     return self.run(*args, **kwargs)
>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>> line 1452, in run
>>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>   File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line 
>>> 483, in upgrade_from_samba3
>>>     s3db = samba3.get_sam_db()
>>>   File "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py", 
>>> line 394, in get_sam_db
>>>     return passdb.PDB(self.lp.get('passdb backend'))
>>>
>>>
>>
>> I wonder if you can turn off SSL on the old server, what do you have 
>> in /etc/ldap.conf (or /etc/ldap/ldap.conf or /etc/openldap/ldap.conf ) ?
>
> On the server (but would it not be slapd.conf for the server?):

No, slapd.conf is for the configuration of the ldap server (it may in 
fact be slapd.conf.d)

> more /etc/openldap/ldap.conf
> BASE         dc=home,dc=htt
> HOST         127.0.0.1
> TIMELIMIT    30
> SIZELIMIT    0
> TLS_REQCERT  allow
>

Try commenting out 'TLS_REQCERT' , change 'ldaps' to 'ldap' in your old 
server smb.conf (I would also remove the shares and the lines that the 
classicupgrade objects to) and try the classicupgrade again.

Rowland

> And on the AD (but I don't know what classicupgrade is using):
>
> more /etc/openldap/ldap.conf
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE    dc=example,dc=com
> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT    12
> #TIMELIMIT    15
> #DEREF        never
>
> TLS_CACERTDIR    /etc/openldap/certs
>
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON    on
>
>




More information about the samba mailing list