samba - May 2005 - Is this a new tls problem?

Please CC to me since I?m not in the list anymore!

I have red miles of text about tls problems in the samba list. This time I can?t
find any helpful hint.
I had a fully functional test environment with samba-3.0.10 (tls enabled)
openldap-2.1.x
After upgrading to newer version suddenly samba stopped authenticate against
openldap with tls enabled.
My configuration is just like the one on idealx.org
I can make users
I can connect to with self made account.
My smb.conf have the ?ldap ssl = start tls? setting but it seams like samba at
some point suddenly stopped having support for the tls option.
I can successfully do a:
ldapsearch ?x ?ZZ
My ldap account for samba is cn=samba,ou=DSA,dc=dbb,dc=su,dc=se
I?ve added the password to secret.tdb
I can successfully do a:
ldapsearch ?x ?ZZ ?h localhost ?D cn=samba,ou=DSA,dc=dbb,dc=su,dc=se ?W

As soon as I start use samba I get the tls problem. When I start samba I get the
following error in my syslog:

May 30 14:21:21 frodo slapd[6242]: connection_read(12): unable to get TLS client
DN, error=49 id=234
May 30 14:21:21 frodo smbd[11539]: [2005/05/30 14:21:21, 0]
lib/smbldap.c:smbldap_open_connection(677)
May 30 14:21:21 frodo smbd[11539]:   Failed to issue the StartTLS instruction:
Connect error
May 30 14:21:21 frodo smbd[11539]: [2005/05/30 14:21:21, 1]
lib/smbldap.c:another_ldap_try(1011)
May 30 14:21:21 frodo smbd[11539]:   Connection to LDAP server failed for the 1
try!

Testparm doesn?t show any errors.

I don?t know how samba connect to the ldap server but I assume it uses ldap.conf
and here it is:
HOST frodo.dbb.su.se
##host= 127.0.0.1
BASE dc=dbb,dc=su,dc=se

rootbinddn cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se

nss_base_passwd         ou=Users,dc=dbb,dc=su,dc=se?one
nss_base_passwd         ou=Computers,dc=dbb,dc=su,dc=se?one
nss_base_shadow         ou=Users,dc=dbb,dc=su,dc=se?one
nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one

##ssl no
pam_password md5

tls_checkpeer yes
TLS_CACERT /etc/ldap/ca.pem
##tls_cacertfile /etc/ldap/ca.pem ####have never worked for some reoson
TLS_REQCERT demand
ssl start_tls
tls_cert /etc/nssldapcets/nssldap.pem
tls_key /etc/nssldapcets/nssldap.key

This also works:
ldapsearch ?x ?ZZ ?h localhost ?D cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se ?W

I have nssldap password in ldap.secret

# - The End

I?m totally lost. Any id?e is appreciated.


Thanks

Peter




Peter Nyberg
Institutionen f?r Biokemi och Biofysik (DBB)
Sv.Arrhenius v?gen 12
106 91 Stockholm
Tel: 08-16 24 69

!!! You solved my problem. Thanks a lot!!!
I had to remove samba completely and reinstall the new version.

I run a test environment and will do so until fall, but what happens if 
similar
problems appear in the real environment?

Shall I wait until testing become stable? This was not a Debian package error
was it? Did someone else here have the same problem with a tarball?

I will also make a BDC but what if I miss to test something and make the same
mistake on the PDC?

How did you role back to older version of samba?
The only way I know is if you save old source package. Remove new package and
install old version with the dpkg i ?packagename?. Is that how you did it?

Quoting ademar@merkurio.com.ve:
> Hi peter, i had the same problem with 3.0.10 to 3.0.14a-1 (I use debian)
> so I went back to 3.0.10.   When they released 3.0.14a-2 I installed it
> and worked perfectly
>
> smb.conf have the ?ldap ssl = start tls? setting but it seams like
>> samba at
>> some point suddenly stopped having support for the tls option.
>> I can successfully do a:
>> ldapsearch ?x ?ZZ
>> My ldap account for samba is cn=samba,ou=DSA,dc=dbb,dc=su,dc=se
>> I?ve added the password to secret.tdb
>> I can successfully do a:
>> ldapsearch ?x ?ZZ ?h localhost ?D cn=samba,ou=DSA,dc=dbb,dc=su,dc=se ?W
>>
>> As soon as I start use samba I get the tls problem. When I start samba
I
>> get the
>> following error in my syslog:
>>
>> May 30 14:21:21 frodo slapd[6242]: connection_read(12): unable to get
TLS
>> client
>> DN, error=49 id=234
>> May 30 14:21:21 frodo smbd[11539]: [2005/05/30 14:21:21, 0]
>> lib/smbldap.c:smbldap_open_connection(677)
>> May 30 14:21:21 frodo smbd[11539]:   Failed to issue the StartTLS
>> instruction:
>> Connect error
>> May 30 14:21:21 frodo smbd[11539]: [2005/05/30 14:21:21, 1]
>> lib/smbldap.c:another_ldap_try(1011)
>> May 30 14:21:21 frodo smbd[11539]:   Connection to LDAP server failed
for
>> the 1
>> try!
>>
>> Testparm doesn?t show any errors.
>>
>> I don?t know how samba connect to the ldap server but I assume it uses
>> ldap.conf
>> and here it is:
>> HOST frodo.dbb.su.se
>> ##host= 127.0.0.1
>> BASE dc=dbb,dc=su,dc=se
>>
>> rootbinddn cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se
>>
>> nss_base_passwd         ou=Users,dc=dbb,dc=su,dc=se?one
>> nss_base_passwd         ou=Computers,dc=dbb,dc=su,dc=se?one
>> nss_base_shadow         ou=Users,dc=dbb,dc=su,dc=se?one
>> nss_base_group          ou=Groups,dc=dbb,dc=su,dc=se?one
>>
>> ##ssl no
>> pam_password md5
>>
>> tls_checkpeer yes
>> TLS_CACERT /etc/ldap/ca.pem
>> ##tls_cacertfile /etc/ldap/ca.pem ####have never worked for some reoson
>> TLS_REQCERT demand
>> ssl start_tls
>> tls_cert /etc/nssldapcets/nssldap.pem
>> tls_key /etc/nssldapcets/nssldap.key
>>
>> This also works:
>> ldapsearch ?x ?ZZ ?h localhost ?D cn=nssldap,ou=DSA,dc=dbb,dc=su,dc=se
?W
>>
>> I have nssldap password in ldap.secret
>>
>> # - The End
>>
>> I?m totally lost. Any id?e is appreciated.
>>
>>
>> Thanks
>>
>> Peter
>>
>>
>>
>>
>> Peter Nyberg
>> Institutionen f?r Biokemi och Biofysik (DBB)
>> Sv.Arrhenius v?gen 12
>> 106 91 Stockholm
>> Tel: 08-16 24 69--
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>




Peter Nyberg
Institutionen f?r Biokemi och Biofysik (DBB)
Sv.Arrhenius v?gen 12
106 91 Stockholm
Tel: 08-16 24 69