[Samba] Access remote ldap for classicupgrade

Rowland Penny rowlandpenny241155 at gmail.com
Fri Sep 18 21:12:49 UTC 2015 

On 18/09/15 21:54, Robert Moskowitz wrote:
>
>
> On 09/18/2015 04:30 PM, Rowland Penny wrote:
>> On 18/09/15 21:19, Robert Moskowitz wrote:
>>>
>>>
>>> On 09/18/2015 03:25 PM, Rowland Penny wrote:
>>>> On 18/09/15 19:50, Robert Moskowitz wrote:
>>>>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>>>>
>>>>> passdb backend = ldapsam:ldaps://192.168.128.2
>>>>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>>>>> ldap group suffix = ou=Groups,ou=Accounts
>>>>> ldap idmap suffix = ou=Idmap
>>>>> ldap machine suffix = ou=Computers,ou=Accounts
>>>>> ldap passwd sync = No
>>>>> ldap suffix = dc=home,dc=htt
>>>>> ldap user suffix = ou=Users,ou=Accounts
>>>>> ldap connection timeout = 8
>>>>> ldap ssl = Off
>>>>>
>>>>> I ran:
>>>>>
>>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>>> /root/samba.PDC/etc/smb.conf
>>>>>
>>>>> And it failed as folllows:
>>>>>
>>>>> Reading smb.conf
>>>>> NOTE: Service printers is flagged unavailable.
>>>>> NOTE: Service print$ is flagged unavailable.
>>>>> Unknown parameter encountered: "force directory security mode"
>>>>> Ignoring unknown parameter "force directory security mode"
>>>>> Provisioning
>>>>> failed to bind to server ldaps://192.168.128.2 with 
>>>>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact 
>>>>> LDAP server
>>>>>     TLS error -8172:Peer's certificate issuer has been marked as 
>>>>> not trusted by the user.
>>>>> Connection to LDAP server failed for the 1 try!
>>>>> Connection to LDAP server failed for the 2 try!
>>>>> Connection to LDAP server failed for the 3 try!
>>>>> Connection to LDAP server failed for the 4 try!
>>>>> Connection to LDAP server failed for the 5 try!
>>>>> Connection to LDAP server failed for the 6 try!
>>>>> Connection to LDAP server failed for the 7 try!
>>>>> Connection to LDAP server failed for the 8 try!
>>>>> Connection to LDAP server failed for the 9 try!
>>>>> Connection to LDAP server failed for the 10 try!
>>>>> Connection to LDAP server failed for the 11 try!
>>>>> Connection to LDAP server failed for the 12 try!
>>>>> Connection to LDAP server failed for the 13 try!
>>>>> Connection to LDAP server failed for the 14 try!
>>>>> Connection to LDAP server failed for the 15 try!
>>>>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one 
>>>>> to the domain. We cannot work reliably without it.
>>>>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init 
>>>>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>>>>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load 
>>>>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend 
>>>>> (-1073741606,Configuration information could not be read from the 
>>>>> domain controller, either because the machine is unavailable or 
>>>>> access has been denied.)
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 
>>>>> 175, in _run
>>>>>     return self.run(*args, **kwargs)
>>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>>> line 1452, in run
>>>>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>>>   File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line 
>>>>> 483, in upgrade_from_samba3
>>>>>     s3db = samba3.get_sam_db()
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py", line 
>>>>> 394, in get_sam_db
>>>>>     return passdb.PDB(self.lp.get('passdb backend'))
>>>>>
>>>>>
>>>>
>>>> I wonder if you can turn off SSL on the old server, what do you 
>>>> have in /etc/ldap.conf (or /etc/ldap/ldap.conf or 
>>>> /etc/openldap/ldap.conf ) ?
>>>
>>> On the server (but would it not be slapd.conf for the server?):
>>
>> No, slapd.conf is for the configuration of the ldap server (it may in 
>> fact be slapd.conf.d)
>>
>>> more /etc/openldap/ldap.conf
>>> BASE         dc=home,dc=htt
>>> HOST         127.0.0.1
>>> TIMELIMIT    30
>>> SIZELIMIT    0
>>> TLS_REQCERT  allow
>>>
>>
>> Try commenting out 'TLS_REQCERT'
>
> I looked again at that error above, and it is the client 
> (classicupdate) that is requesting the cert and failing.  So it is on 
> that system that I need to tell it not to request or worry about the 
> server cert.  So I think I need:
>
> TLS_REQCERT never|try
>
> In its ldap.conf
>
>> , change 'ldaps' to 'ldap' in your old server smb.conf (I would also 
>> remove the shares and the lines that the classicupgrade objects to) 
>> and try the classicupgrade again.
>
> I was told this option is buried deep in the ClearOS openldap setup.  
> It is definitely now where under /etc/samba.  So first step is to get 
> classicupdate not to worry about the certs valitity  Then I think I 
> might have access issues on what is shown to an anon client.
>

Do you have /etc/openldap/slapd.conf or /etc/openldap/slapd.conf.d ?

If it is the former (by the way I hope you are doing all this in test 
environment and not on your Clearos server), then just remove any lines 
that start 'TLSC' (there should be 3). It gets a bit more involved if it 
is the later, because you will have to find the file in the slapd.conf.d 
directory and remove the lines from there. It has been some time since I 
last used openldap, but I can remember altering the files in the 
slapd.conf.d dir manually and then starting slapd (I should have 
mentioned that you will need to stop slapd before you change anything 
and always backup everything before changing anything).

Rowland

>>
>> Rowland
>>
>>
>

More information about the samba mailing list