[Samba] Access remote ldap for classicupgrade

Rowland Penny rowlandpenny241155 at gmail.com
Fri Sep 18 21:26:31 UTC 2015 

On 18/09/15 21:54, Robert Moskowitz wrote:
>
>
> On 09/18/2015 04:30 PM, Rowland Penny wrote:
>> On 18/09/15 21:19, Robert Moskowitz wrote:
>>>
>>>
>>> On 09/18/2015 03:25 PM, Rowland Penny wrote:
>>>> On 18/09/15 19:50, Robert Moskowitz wrote:
>>>>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>>>>
>>>>> passdb backend = ldapsam:ldaps://192.168.128.2
>>>>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>>>>> ldap group suffix = ou=Groups,ou=Accounts
>>>>> ldap idmap suffix = ou=Idmap
>>>>> ldap machine suffix = ou=Computers,ou=Accounts
>>>>> ldap passwd sync = No
>>>>> ldap suffix = dc=home,dc=htt
>>>>> ldap user suffix = ou=Users,ou=Accounts
>>>>> ldap connection timeout = 8
>>>>> ldap ssl = Off
>>>>>
>>>>> I ran:
>>>>>
>>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>>> /root/samba.PDC/etc/smb.conf
>>>>>
>>>>> And it failed as folllows:
>>>>>
>>>>> Reading smb.conf
>>>>> NOTE: Service printers is flagged unavailable.
>>>>> NOTE: Service print$ is flagged unavailable.
>>>>> Unknown parameter encountered: "force directory security mode"
>>>>> Ignoring unknown parameter "force directory security mode"
>>>>> Provisioning
>>>>> failed to bind to server ldaps://192.168.128.2 with 
>>>>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact 
>>>>> LDAP server
>>>>>     TLS error -8172:Peer's certificate issuer has been marked as 
>>>>> not trusted by the user.
>>>>> Connection to LDAP server failed for the 1 try!
>>>>> Connection to LDAP server failed for the 2 try!
>>>>> Connection to LDAP server failed for the 3 try!
>>>>> Connection to LDAP server failed for the 4 try!
>>>>> Connection to LDAP server failed for the 5 try!
>>>>> Connection to LDAP server failed for the 6 try!
>>>>> Connection to LDAP server failed for the 7 try!
>>>>> Connection to LDAP server failed for the 8 try!
>>>>> Connection to LDAP server failed for the 9 try!
>>>>> Connection to LDAP server failed for the 10 try!
>>>>> Connection to LDAP server failed for the 11 try!
>>>>> Connection to LDAP server failed for the 12 try!
>>>>> Connection to LDAP server failed for the 13 try!
>>>>> Connection to LDAP server failed for the 14 try!
>>>>> Connection to LDAP server failed for the 15 try!
>>>>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one 
>>>>> to the domain. We cannot work reliably without it.
>>>>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init 
>>>>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>>>>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load 
>>>>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend 
>>>>> (-1073741606,Configuration information could not be read from the 
>>>>> domain controller, either because the machine is unavailable or 
>>>>> access has been denied.)
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 
>>>>> 175, in _run
>>>>>     return self.run(*args, **kwargs)
>>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>>> line 1452, in run
>>>>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>>>   File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line 
>>>>> 483, in upgrade_from_samba3
>>>>>     s3db = samba3.get_sam_db()
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py", line 
>>>>> 394, in get_sam_db
>>>>>     return passdb.PDB(self.lp.get('passdb backend'))
>>>>>
>>>>>
>>>>
>>>> I wonder if you can turn off SSL on the old server, what do you 
>>>> have in /etc/ldap.conf (or /etc/ldap/ldap.conf or 
>>>> /etc/openldap/ldap.conf ) ?
>>>
>>> On the server (but would it not be slapd.conf for the server?):
>>
>> No, slapd.conf is for the configuration of the ldap server (it may in 
>> fact be slapd.conf.d)
>>
>>> more /etc/openldap/ldap.conf
>>> BASE         dc=home,dc=htt
>>> HOST         127.0.0.1
>>> TIMELIMIT    30
>>> SIZELIMIT    0
>>> TLS_REQCERT  allow
>>>
>>
>> Try commenting out 'TLS_REQCERT'
>
> I looked again at that error above, and it is the client 
> (classicupdate) that is requesting the cert and failing.  So it is on 
> that system that I need to tell it not to request or worry about the 
> server cert.  So I think I need:
>
> TLS_REQCERT never|try
>
> In its ldap.conf
>
>> , change 'ldaps' to 'ldap' in your old server smb.conf (I would also 
>> remove the shares and the lines that the classicupgrade objects to) 
>> and try the classicupgrade again.
>
> I was told this option is buried deep in the ClearOS openldap setup.  
> It is definitely now where under /etc/samba.  So first step is to get 
> classicupdate not to worry about the certs valitity  Then I think I 
> might have access issues on what is shown to an anon client.
>
>
OK, a quick google turned this up:

http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3

Which tells you how to get ssl working with openldap on centos 6 
(clearos is based on centos), so by reversing it should remove ssl from 
slapd:

nano mod_ssl.ldif

dn: cn=config
changetype: modify
delete: olcTLSCACertificateFile
-
delete: olcTLSCertificateFile
-
delete: olcTLSCertificateKeyFile

ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

nano /etc/sysconfig/ldap

Comment out or remove:

SLAPD_LDAPS=yes

/etc/rc.d/init.d/slapd restart

HTH rowland

More information about the samba mailing list