samba - Jan 2002 - HEAD: smb.conf 'ldap ssl' defaults to on?

Hi all,

It appears this is, indeed, the right place to ask 'stuff'

So here I go again.

After successfully compiling HEAD --with-ldapsam, (thanks Gerry) I 
found that I could log in to a samba domain from a W2K box. 
Except I got a message saying I didn't have permission to access 
my profile, and in fact neither could I access any of my shares. 
Whoops. And it all works fine under 2.2.2.

I've spent all day debugging, and finally an strace showed me the 
way. There's an iddy-biddy if() block in passdb/pdb_ldap.c which 
checks whether to connect to the LDAP server on the ldaps port 
(685?) or the normal ldap port (389). And this wasn't giving the right 
answer. So I set 'ldap ssl = no' in smb.conf and now all is well 
again. AND I get spiffy SIDs rather than dowdy 
unix_group\loadofnumbers when I look at process security stuff in 
W2K.

Now, the man page says that 'ldap ssl' defaults to off.

Is the man page wrong, or have I done another of my astounding 
feats of misconfiguration?

 Maybe I've done something wrong when configuring openssl.
 It's happened before.

Problems aside, this stuff is deeply cool. I'm betting it's gonna get 
even cooler when I get me head round the group mapping stuff.

Thanks

Mart

** Sometime soon I'm gonna get me a sig. And it's gonna be 
WAAY cool. I've just got these hundred and thirty urgent tasks to 
do first. **

On Thu, 3 Jan 2002 martin@sbirmc.ac.uk wrote:
> I've spent all day debugging, and finally an strace showed me the
> way. There's an iddy-biddy if() block in passdb/pdb_ldap.c which
> checks whether to connect to the LDAP server on the ldaps port
> (685?) or the normal ldap port (389). And this wasn't giving the right
> answer. So I set 'ldap ssl = no' in smb.conf and now all is well
> again. AND I get spiffy SIDs rather than dowdy
> unix_group\loadofnumbers when I look at process security stuff in
> W2K.
>
> Now, the man page says that 'ldap ssl' defaults to off.
welcome to the bleeding edge.  I'm updated the docs in 2.2
but not in HEAD.  Yes "ldap ssl" will default to "on" and
"ldap port" will default to 636.

This was a recent change as the clear text transmission of
password hashes was deemed to evil to live.

Sory you got bit by this.  I'l update the docs in HEAD tonight
and try look at syncing the code some more.







chau.  jerry
 ---------------------------------------------------------------------
 Hewlett-Packard                                     http://www.hp.com
 SAMBA Team                                       http://www.samba.org
 --                                            http://www.plainjoe.org
 "Sam's Teach Yourself Samba in 24 Hours" 2ed.      ISBN
0-672-32269-2
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--