From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Feb 9 06:30:00 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CDE56BC1 for ; Sun, 9 Feb 2014 06:30:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A6B9818C2 for ; Sun, 9 Feb 2014 06:30:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s196U0ms098219 for ; Sun, 9 Feb 2014 06:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s196U0gA098218; Sun, 9 Feb 2014 06:30:00 GMT (envelope-from gnats) Resent-Date: Sun, 9 Feb 2014 06:30:00 GMT Resent-Message-Id: <201402090630.s196U0gA098218@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dan Burkland Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A92ABA3 for ; Sun, 9 Feb 2014 06:26:54 +0000 (UTC) Received: from newred.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 38C3118B7 for ; Sun, 9 Feb 2014 06:26:54 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by newred.freebsd.org (8.14.7/8.14.7) with ESMTP id s196Qrwv039916 for ; Sun, 9 Feb 2014 06:26:53 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.7/8.14.7/Submit) id s196Qrdu039893; Sun, 9 Feb 2014 06:26:53 GMT (envelope-from nobody) Message-Id: <201402090626.s196Qrdu039893@cgiserv.freebsd.org> Date: Sun, 9 Feb 2014 06:26:53 GMT From: Dan Burkland To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: ports/186575: Start of Samba results in "nss_ldap: could not search LDAP server" errors X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Feb 2014 06:30:01 -0000 >Number: 186575 >Category: ports >Synopsis: Start of Samba results in "nss_ldap: could not search LDAP server" errors >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 09 06:30:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Dan Burkland >Release: 10.0 P0 RELEASE >Organization: >Environment: FreeBSD srv06 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: I have recently upgraded my FreeBSD file server from 9.1 to 10.0 and have run into an interesting issue. I have configured this system via "/etc/nsswitch" to utilize my OpenLDAP server for "passwdb" & "group" NSS lookups. The system is configured to talk to the OpenLDAP over TLS and basic things like "getent passwd" & "getent group" work fine and do not result in any errors on the LDAP or FreeBSD servers. When I start Samba however (regardless if it is 3.6, 4.0, or 4.1) I notice the following error messages appear in my OpenLDAP server's logs: Feb 9 00:10:09 srv01 slapd[51720]: conn=2054 fd=43 ACCEPT from IP=10.0.0.15:30785 (IP=0.0.0.0:389) Feb 9 00:10:09 srv01 slapd[51720]: conn=2054 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 9 00:10:09 srv01 slapd[51720]: conn=2054 op=0 STARTTLS Feb 9 00:10:09 srv01 slapd[51720]: conn=2054 op=0 RESULT oid= err=0 text= Feb 9 00:10:09 srv01 slapd[51720]: conn=2054 fd=43 closed (TLS negotiation failure) If I try to connect to the Samba server from a client or run a samba-related command such as "smbpasswd -a " they hang until I kill them. At that point I notice the following error message appear in "/var/log/messages" on the FreeBSD file server: Feb 9 00:11:56 srv06 smbd[97896]: nss_ldap: could not search LDAP server - Server is unavailable This configuration worked just fine in FreeBSD 9.1 so I'm not sure what changed in 10 to prevent this from working properly. As demonstrated previously TLS + LDAP is working properly as confirmed by the "getent passwd" command and OpenLDAP server logs (which indicate a clean TLS connection). Please see the following tar file which should contain all of the necessary files: https://www.dropbox.com/s/2eclhl1k5l2jaxr/FreeBSD_Samba_Problem_Report_Files_20140209.tar.gz If you need any further information from me please shoot me an email. Thanks! Dan >How-To-Repeat: * Start/stop the "samba_server" service Or * Try to connect to the Samba fileshare from a client server >Fix: If I replace the following lines: group: files ldap passwd: files ldap With group: files passwd: files Samba then operates correctly and related commands such as "pdbedit -L -u " work just fine. >Release-Note: >Audit-Trail: >Unformatted: