[Samba] Access remote ldap for classicupgrade
Robert Moskowitz
rgm at htt-consult.com
Fri Sep 18 21:49:31 UTC 2015
On 09/18/2015 05:26 PM, Rowland Penny wrote:
> On 18/09/15 21:54, Robert Moskowitz wrote:
>>
>>
>> On 09/18/2015 04:30 PM, Rowland Penny wrote:
>>> On 18/09/15 21:19, Robert Moskowitz wrote:
>>>>
>>>>
>>>> On 09/18/2015 03:25 PM, Rowland Penny wrote:
>>>>> On 18/09/15 19:50, Robert Moskowitz wrote:
>>>>>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>>>>>
>>>>>> passdb backend = ldapsam:ldaps://192.168.128.2
>>>>>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>>>>>> ldap group suffix = ou=Groups,ou=Accounts
>>>>>> ldap idmap suffix = ou=Idmap
>>>>>> ldap machine suffix = ou=Computers,ou=Accounts
>>>>>> ldap passwd sync = No
>>>>>> ldap suffix = dc=home,dc=htt
>>>>>> ldap user suffix = ou=Users,ou=Accounts
>>>>>> ldap connection timeout = 8
>>>>>> ldap ssl = Off
>>>>>>
>>>>>> I ran:
>>>>>>
>>>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/
>>>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ
>>>>>> /root/samba.PDC/etc/smb.conf
>>>>>>
>>>>>> And it failed as folllows:
>>>>>>
>>>>>> Reading smb.conf
>>>>>> NOTE: Service printers is flagged unavailable.
>>>>>> NOTE: Service print$ is flagged unavailable.
>>>>>> Unknown parameter encountered: "force directory security mode"
>>>>>> Ignoring unknown parameter "force directory security mode"
>>>>>> Provisioning
>>>>>> failed to bind to server ldaps://192.168.128.2 with
>>>>>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact
>>>>>> LDAP server
>>>>>> TLS error -8172:Peer's certificate issuer has been marked as
>>>>>> not trusted by the user.
>>>>>> Connection to LDAP server failed for the 1 try!
>>>>>> Connection to LDAP server failed for the 2 try!
>>>>>> Connection to LDAP server failed for the 3 try!
>>>>>> Connection to LDAP server failed for the 4 try!
>>>>>> Connection to LDAP server failed for the 5 try!
>>>>>> Connection to LDAP server failed for the 6 try!
>>>>>> Connection to LDAP server failed for the 7 try!
>>>>>> Connection to LDAP server failed for the 8 try!
>>>>>> Connection to LDAP server failed for the 9 try!
>>>>>> Connection to LDAP server failed for the 10 try!
>>>>>> Connection to LDAP server failed for the 11 try!
>>>>>> Connection to LDAP server failed for the 12 try!
>>>>>> Connection to LDAP server failed for the 13 try!
>>>>>> Connection to LDAP server failed for the 14 try!
>>>>>> Connection to LDAP server failed for the 15 try!
>>>>>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one
>>>>>> to the domain. We cannot work reliably without it.
>>>>>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init
>>>>>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>>>>>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load
>>>>>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend
>>>>>> (-1073741606,Configuration information could not be read from the
>>>>>> domain controller, either because the machine is unavailable or
>>>>>> access has been denied.)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line
>>>>>> 175, in _run
>>>>>> return self.run(*args, **kwargs)
>>>>>> File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>> line 1452, in run
>>>>>> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>>>> File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line
>>>>>> 483, in upgrade_from_samba3
>>>>>> s3db = samba3.get_sam_db()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py", line
>>>>>> 394, in get_sam_db
>>>>>> return passdb.PDB(self.lp.get('passdb backend'))
>>>>>>
>>>>>>
>>>>>
>>>>> I wonder if you can turn off SSL on the old server, what do you
>>>>> have in /etc/ldap.conf (or /etc/ldap/ldap.conf or
>>>>> /etc/openldap/ldap.conf ) ?
>>>>
>>>> On the server (but would it not be slapd.conf for the server?):
>>>
>>> No, slapd.conf is for the configuration of the ldap server (it may
>>> in fact be slapd.conf.d)
>>>
>>>> more /etc/openldap/ldap.conf
>>>> BASE dc=home,dc=htt
>>>> HOST 127.0.0.1
>>>> TIMELIMIT 30
>>>> SIZELIMIT 0
>>>> TLS_REQCERT allow
>>>>
>>>
>>> Try commenting out 'TLS_REQCERT'
>>
>> I looked again at that error above, and it is the client
>> (classicupdate) that is requesting the cert and failing. So it is on
>> that system that I need to tell it not to request or worry about the
>> server cert. So I think I need:
>>
>> TLS_REQCERT never|try
>>
>> In its ldap.conf
>>
>>> , change 'ldaps' to 'ldap' in your old server smb.conf (I would also
>>> remove the shares and the lines that the classicupgrade objects to)
>>> and try the classicupgrade again.
>>
>> I was told this option is buried deep in the ClearOS openldap setup.
>> It is definitely now where under /etc/samba. So first step is to get
>> classicupdate not to worry about the certs valitity Then I think I
>> might have access issues on what is shown to an anon client.
>>
>>
> OK, a quick google turned this up:
>
> http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=3
>
> Which tells you how to get ssl working with openldap on centos 6
> (clearos is based on centos), so by reversing it should remove ssl
> from slapd:
>
> nano mod_ssl.ldif
>
> dn: cn=config
> changetype: modify
> delete: olcTLSCACertificateFile
> -
> delete: olcTLSCertificateFile
> -
> delete: olcTLSCertificateKeyFile
>
> ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
>
> nano /etc/sysconfig/ldap
>
> Comment out or remove:
>
> SLAPD_LDAPS=yes
>
> /etc/rc.d/init.d/slapd restart
>
> HTH rowland
>
will look at this sunday. Time to shutdown.
thanks.
More information about the samba
mailing list