Steve Langasek wrote / napísal(a):
On Mon, Feb 19, 2007 at 07:31:25AM +0100, Mgr. Peter Tuharsky wrote:
Steve Langasek wrote / napísal(a):
On Thu, Feb 15, 2007 at 01:36:51PM +0100, Mgr. Peter Tuharsky wrote:
We've had a working Samba/LDAP domain based on Sarge. Now we're trying
to move to Etch. We recycled old configs, or modified the new ones to be
equal.
Now, when I start Samba, it seems it cannot connect the LDAP server.
I've got these errors in log:
lib/smbldap.c:smb_ldap_start_tls(612)
Failed to issue the StartTLS instruction: Connect error
lib/smbldap.c:another_ldap_try(1150)
Connection to LDAP server failed for the 1 try!
Soon, the smbd exits.
Could you please post your smb.conf?
Of course. Here You are.
Ok, nothing seems out of the ordinary here, that's too bad -- no easy answer
here.
The odd thing ("no easy answers TM") is, that despite of the errors in
log, the Samba domain WORKS for a little while. Machines and users log
on, as if nothing happened. Users get authenticated, network shares are
connected. After several tens of seconds (minute or so) smbd dies and
domain dies with it.
The second odd thing is, that the very LDAP works well too. We can
authenticate against LDAP server from SMTP, IMAP and eGroupWare, and
local machine user's logon using PAM-LDAP. Just when we run Samba on the
server to allow Windows domain logons, the Samba acts as described above..
passdb backend = ldapsam:"ldap://vedko6.misbb.sk:389";
Are the quotes necessary here? I'm not sure that removing them would make
any difference.
We'll try to remove the quotes, however it works with them in Sarge well.
# 070215: Povodne bolo:
# ldap ssl = start_tls
# Lenze vraj Samba 3.x nepodporuje LDAP over SSL, iba ldap_start_tls
# takze to vraj ma byt bez podtrhovnika start tls:
# a niektori dokonca uvadzaju ldap ssl = off
ldap ssl = start tls
Well, that seems it really ought to be sufficient, yes.
How do you have libldap configured to verify the SSL certificates? If you
try to connect to the server with ldapsearch, do you get the same error?
Please, specify, what kind of info do You need here. I don't understand
that.
Tomorow, we will try to remove the TLS, since the LDAP and Samba domain
are running on the same machine. As TLS encrypts just the communication
between them (hopefully, AFAIK???), it seems it is not needed there
(???). This is just a workaround however, and not everybody can afford it.
Sincerely
Peter
