Hi Paul, On Wed, Mar 23, 2005 at 11:30:35AM +0100, Paul Coray wrote: > Three days ago I switched our domain from a NT 4 domaincontroller to > Samba-OpenLDAP, controlled by a Debian Sarge system. I installed the > following inofficial Debian OpenLDAP 2.2 packages (I know these are not > supported, but TLS with OpenSSL is essential to us...): > > Package: slapd > Version: 2.2.20-1.hrz.1 > > Package: libldap2.2 > Version: 2.2.20-1.hrz.1 > > Package: ldap-utils > Version: 2.2.20-1.hrz.1
Where are those available? I did not know about that fork and perhaps I can share some work with the maintainer. > As soon as the LDAP-replication is active, my windows users are > experiencing problems logging on to the domain, often they only manage > to log in with locally cached credentials/profiles. I suspect there are > problems with TLS, as I see a lot of messages like this in the Samba > machine logs: > > > [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(36) > =============================================================== > [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(37) > INTERNAL ERROR: Signal 6 in pid 15289 (3.0.10-Debian) > Please read the appendix Bugs of the Samba HOWTO collection > [2005/03/23 08:18:44, 0] lib/fault.c:fault_report(39) > =============================================================== > [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1482) > PANIC: internal error > [2005/03/23 08:18:44, 0] lib/util.c:smb_panic2(1490) > BACKTRACE: 34 stack frames: > #0 /usr/sbin/smbd(smb_panic2+0x111) [0x81e05e1] > #1 /usr/sbin/smbd(smb_panic+0x1a) [0x81e04ca] > #2 /usr/sbin/smbd [0x81cc8e8] > #3 [0xffffe420] > #4 /lib/tls/libc.so.6(abort+0x1d2) [0x401b5f12] > #5 /lib/tls/libc.so.6(__assert_fail+0x10f) [0x401ae26f] > #6 /usr/lib/libldap.so.2 [0x4002b12d] > #7 /usr/lib/libldap.so.2(ldap_int_open_connection+0x11e) [0x400257ee] > #8 /usr/lib/libldap.so.2(ldap_new_connection+0x89) [0x400374c9] > #9 /usr/lib/libldap.so.2(ldap_open_defconn+0x41) [0x400252a1] > #10 /usr/lib/libldap.so.2(ldap_send_initial_request+0x8f) [0x4003703f] > #11 /usr/lib/libldap.so.2(ldap_sasl_bind+0x177) [0x4002d387] > #12 /usr/lib/libldap.so.2(ldap_simple_bind+0x80) [0x4002dd80] > #13 /lib/libnss_ldap.so.2 [0x409ad423] > #14 /lib/libnss_ldap.so.2 [0x409acefc] > #15 /lib/libnss_ldap.so.2 [0x409ae24a] > #16 /lib/libnss_ldap.so.2 [0x409ae81b] > #17 /lib/libnss_ldap.so.2(_nss_ldap_getpwnam_r+0x69) [0x409af9e9] > #18 /lib/tls/libc.so.6(getpwnam_r+0xfc) [0x4023475c] > #19 /lib/tls/libc.so.6(getpwnam+0x91) [0x40234081] > #20 /usr/sbin/smbd(getpwnam_alloc+0x11) [0x81d3d21] > #21 /usr/sbin/smbd(make_server_info_sam+0x59) [0x821e779] > #22 /usr/sbin/smbd(make_server_info_guest+0xbb) [0x821eaab] > #23 /usr/sbin/smbd [0x821c882] > #24 /usr/sbin/smbd [0x821705f] > #25 /usr/sbin/smbd [0x80ad98e] > #26 /usr/sbin/smbd(reply_sesssetup_and_X+0x788) [0x80af5b8] > #27 /usr/sbin/smbd [0x80d3306] > #28 /usr/sbin/smbd [0x80d3590] > #29 /usr/sbin/smbd(process_smb+0x8c) [0x80d379c] > #30 /usr/sbin/smbd(smbd_process+0x168) [0x80d44d8] > #31 /usr/sbin/smbd(main+0x4ea) [0x82579ba] > #32 /lib/tls/libc.so.6(__libc_start_main+0xf4) [0x401a1904] > #33 /usr/sbin/smbd [0x8078b41] > smbd: > /home/roland/debian/openldap/build/2.1.30/openldap2-2.1.30/libraries/libldap/cyrus.c:468: > > ldap_int_sasl_open: Assertio > n `lc->lconn_sasl_ctx == ((void *)0)' failed. This is a known bug in the Debian packages. Have a look at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273620 If you can reproduce it we might be able to track it down finally. > Is samba using the 'original' OpenLDAP 2.1.30 TLS libraries, even if I > have the ldap libraries linked to 2.2? Yes. It will use the 2.1.30 libraries as they are incompatible with 2.2.x > And, why does this go away as soon as I stop slurpd on the master and > slapd on the slave? No idea. > This is critical to us, as this is the first major step migrating ~200 > users away from NT-desktops to Linux thin clients, and I don't want to > give them something to argue against OSS... My guess how to fix this: Get the openldap2 sources from the Debian package and build it against OpenSSL. I can make packages available if you can't build them. You should change debian/changelog so that apt can differentiate between the official and your packages and debian/configure.options so it uses OpenSSL. Ah, and remove gnutls from Build-Depends in debian/control and add libssl-dev. Make sure no gnutls dev package is installed as the configure script had a bug to use it even if you'd rather use OpenSSL. Thanks Torsten
signature.asc
Description: Digital signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba