Robert Harrison
2003-Aug-22 12:07 UTC
[Samba] 3.0 with LDAP backend using SSL/TLS and OpenLDAP 2.1.22-1
Preamble: I was reading in the OpenLDAP faq-o-matic that as of 2.1, LDAP clients (or specifically the LDAP client libraries) need to know how to find the certificate when connecting via SSL or TLS. As of 3.0, I've been getting a Samba internal error when setting ldap ssl = start tls in the smb.conf file. testparm checks out ok (My samba server is configured as a Role_Domain_PDC server). This error occurs when using smbclient to connect to samba on the same machine or when attempting to browse the server using a WinXP Pro SP1 client. Setting ldap ssl = no eliminates the error and the ldap backend operates correctly. The error occurs on samba 3.0beta2 and samba3.0rc1. I do recall that I used to have a secure connection to the ldap backend working with samba v2.9999... and OpenLDAP 2.0.x however I don't want to downgrade as I like the new features of 3.0. I was basically wondering whether there is a configuration option that I am missing? (possibly to do with pointing Samba at the client SSL certificate to use when connecting via TLS.) Interestingly, I do have both libgnutls5 (0.8.8-2) and libgnutls7 (0.8.9-2) installed as various software I have depends on one or the other of these libraries. Samba appears to be linked to libgnutls5. Other pertinent version info: OS: Debian testing/unstable kernel 2.4.20-9, libldap2 2.1.22-1 Snippet of the log.smbd file follows: [2003/08/22 12:37:33, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 3241 (3.0.0rc1-0 for Debian) Please read the appendix Bugs of the Samba HOWTO collection [2003/08/22 12:37:33, 0] lib/fault.c:fault_report(39) ==============================================================[2003/08/22 12:37:33, 0] lib/util.c:smb_panic(1452) smb_panic(): calling panic action [/usr/share/samba/panic-action 3241] /usr/share/samba/panic-action: line 48: mail: command not found [2003/08/22 12:37:33, 0] lib/util.c:smb_panic(1460) smb_panic(): action returned status 127 [2003/08/22 12:37:33, 0] lib/util.c:smb_panic(1462) PANIC: internal error [2003/08/22 12:37:33, 0] lib/util.c:smb_panic(1469) BACKTRACE: 21 stack frames: #0 /usr/sbin/smbd(smb_panic+0xc9) [0x81816b5] #1 /usr/sbin/smbd [0x8172de2] #2 /lib/libc.so.6 [0x401d0c38] #3 /usr/lib/libldap.so.2(gnutls_SSL_get_certificate+0x39) [0x400f9c4e] #4 /usr/lib/libldap.so.2(ldap_pvt_tls_get_my_dn+0x1e) [0x400f7daf] #5 /usr/lib/libldap.so.2(ldap_int_tls_start+0x116) [0x400f8bce] #6 /usr/lib/libldap.so.2(ldap_start_tls_s+0xb2) [0x400f8f20] #7 /usr/sbin/smbd [0x81d30f1] #8 /usr/sbin/smbd [0x81d34c5] #9 /usr/sbin/smbd(smbldap_retry_open+0x31) [0x81d3715] #10 /usr/sbin/smbd(smbldap_search+0x4e) [0x81d387a] #11 /usr/sbin/smbd(smbldap_search_suffix+0x57) [0x81d3ed7] #12 /usr/sbin/smbd(smbldap_search_domain_info+0x8c) [0x81d4784] #13 /usr/sbin/smbd [0x816726f] #14 /usr/sbin/smbd [0x815fa4e] #15 /usr/sbin/smbd(make_pdb_context_list+0xc8) [0x815ff2c] #16 /usr/sbin/smbd [0x81601f3] #17 /usr/sbin/smbd(initialize_password_db+0xe) [0x816057a] #18 /usr/sbin/smbd(main+0x32f) [0x81d5c8b] #19 /lib/libc.so.6(__libc_start_main+0xac) [0x401bed04] #20 /usr/sbin/smbd(chroot+0x31) [0x80768e1] Any help or suggestions greatly appreciated, Rob.