[Samba] Access remote ldap for classicupgrade

Robert Moskowitz rgm at htt-consult.com
Fri Sep 18 20:54:48 UTC 2015 


On 09/18/2015 04:30 PM, Rowland Penny wrote:
> On 18/09/15 21:19, Robert Moskowitz wrote:
>>
>>
>> On 09/18/2015 03:25 PM, Rowland Penny wrote:
>>> On 18/09/15 19:50, Robert Moskowitz wrote:
>>>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>>>
>>>> passdb backend = ldapsam:ldaps://192.168.128.2
>>>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>>>> ldap group suffix = ou=Groups,ou=Accounts
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap machine suffix = ou=Computers,ou=Accounts
>>>> ldap passwd sync = No
>>>> ldap suffix = dc=home,dc=htt
>>>> ldap user suffix = ou=Users,ou=Accounts
>>>> ldap connection timeout = 8
>>>> ldap ssl = Off
>>>>
>>>> I ran:
>>>>
>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>> /root/samba.PDC/etc/smb.conf
>>>>
>>>> And it failed as folllows:
>>>>
>>>> Reading smb.conf
>>>> NOTE: Service printers is flagged unavailable.
>>>> NOTE: Service print$ is flagged unavailable.
>>>> Unknown parameter encountered: "force directory security mode"
>>>> Ignoring unknown parameter "force directory security mode"
>>>> Provisioning
>>>> failed to bind to server ldaps://192.168.128.2 with 
>>>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact 
>>>> LDAP server
>>>>     TLS error -8172:Peer's certificate issuer has been marked as 
>>>> not trusted by the user.
>>>> Connection to LDAP server failed for the 1 try!
>>>> Connection to LDAP server failed for the 2 try!
>>>> Connection to LDAP server failed for the 3 try!
>>>> Connection to LDAP server failed for the 4 try!
>>>> Connection to LDAP server failed for the 5 try!
>>>> Connection to LDAP server failed for the 6 try!
>>>> Connection to LDAP server failed for the 7 try!
>>>> Connection to LDAP server failed for the 8 try!
>>>> Connection to LDAP server failed for the 9 try!
>>>> Connection to LDAP server failed for the 10 try!
>>>> Connection to LDAP server failed for the 11 try!
>>>> Connection to LDAP server failed for the 12 try!
>>>> Connection to LDAP server failed for the 13 try!
>>>> Connection to LDAP server failed for the 14 try!
>>>> Connection to LDAP server failed for the 15 try!
>>>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one 
>>>> to the domain. We cannot work reliably without it.
>>>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init 
>>>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>>>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load 
>>>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend 
>>>> (-1073741606,Configuration information could not be read from the 
>>>> domain controller, either because the machine is unavailable or 
>>>> access has been denied.)
>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>> line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>> line 1452, in run
>>>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>>   File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line 
>>>> 483, in upgrade_from_samba3
>>>>     s3db = samba3.get_sam_db()
>>>>   File "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py", 
>>>> line 394, in get_sam_db
>>>>     return passdb.PDB(self.lp.get('passdb backend'))
>>>>
>>>>
>>>
>>> I wonder if you can turn off SSL on the old server, what do you have 
>>> in /etc/ldap.conf (or /etc/ldap/ldap.conf or /etc/openldap/ldap.conf 
>>> ) ?
>>
>> On the server (but would it not be slapd.conf for the server?):
>
> No, slapd.conf is for the configuration of the ldap server (it may in 
> fact be slapd.conf.d)
>
>> more /etc/openldap/ldap.conf
>> BASE         dc=home,dc=htt
>> HOST         127.0.0.1
>> TIMELIMIT    30
>> SIZELIMIT    0
>> TLS_REQCERT  allow
>>
>
> Try commenting out 'TLS_REQCERT'

I looked again at that error above, and it is the client (classicupdate) 
that is requesting the cert and failing.  So it is on that system that I 
need to tell it not to request or worry about the server cert.  So I 
think I need:

TLS_REQCERT never|try

In its ldap.conf

> , change 'ldaps' to 'ldap' in your old server smb.conf (I would also 
> remove the shares and the lines that the classicupgrade objects to) 
> and try the classicupgrade again.

I was told this option is buried deep in the ClearOS openldap setup.  It 
is definitely now where under /etc/samba.  So first step is to get 
classicupdate not to worry about the certs valitity  Then I think I 
might have access issues on what is shown to an anon client.

>
> Rowland
>
>> And on the AD (but I don't know what classicupgrade is using):
>>
>> more /etc/openldap/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> #BASE    dc=example,dc=com
>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>
>> #SIZELIMIT    12
>> #TIMELIMIT    15
>> #DEREF        never
>>
>> TLS_CACERTDIR    /etc/openldap/certs
>>
>> # Turning this off breaks GSSAPI used with krb5 when rdns = false
>> SASL_NOCANON    on
>>
>>
>
>

More information about the samba mailing list