[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap PDC -- Failed to issue the StartTLS instruction


We've been using an ldap based PDC from quite a while.  Now we're
suddenly having trouble getting our main fileserver to talk with the

samba-3.2.13 on solaris 10.

Here is our smb.conf global defs:

       workgroup = CNRDOM
       server string = nature (Samba %v)
       security = DOMAIN
       passdb backend = ldapsam:ldaps://169.229.xxx.yyy
       log level = 5
       log file = /var/log/samba/log.%m
       name resolve order = wins host lmhosts
       os level = 65
       local master = No
       domain master = No
       dns proxy = No
       wins support = Yes
       ldap ssl = start tls

When we start up samba, we see many lines like these in log.smbd:

[2009/08/03 15:40:40,  1] lib/smbldap.c:another_ldap_try(1170)
 Connection to LDAP server failed for the 4 try!

and these:

[2009/08/03 15:51:56,  0] lib/smbldap.c:smb_ldap_start_tls(595)
 Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/08/03 15:51:56,  5] lib/smbldap.c:smbldap_search_ext(1199)
 smbldap_search_ext: base => [], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-22-1-97)(sambaSIDList=S-1-22-2-97)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], scope => [2]
[2009/08/03 15:51:56,  5] lib/smbldap.c:smbldap_close(1103)
 The connection to the LDAP server was closed

But over on the PDC (gentoo linux 2.6.29, samba-3.2.13 , openldap-2.4.27)
we see this in tcpdump:
$ tcpdump  -vv -c 4  port ldaps

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:51:29.736629 IP (tos 0x0, ttl 61, id 60609, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56299 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0x6a18 (correct), 1637042825:1637042825(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK>
15:51:29.736651 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56299: R, cksum 0x6c68 (correct), 0:0(0) ack 1637042826 win 0
15:51:30.746803 IP (tos 0x0, ttl 61, id 60610, offset 0, flags [DF], proto TCP (6), length 52) nature.Berkeley.EDU.56302 > xxxyyy.CNR.Berkeley.EDU.ldaps: S, cksum 0xa6d9 (correct), 2235230749:2235230749(0) win 49640 <mss 1380,nop,wscale 0,nop,nop,sackOK>
15:51:30.746827 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) xxxyyy.CNR.Berkeley.EDU.ldaps > nature.Berkeley.EDU.56302: R, cksum 0xa929 (correct), 0:0(0) ack 2235230750 win 0

It appears that there is indeed an ldaps conversation going on. We created new certificate on the PDC to see if certificate is the problem to no avail. Same message, and same problem. We disable firewall on the PDC as well and make sure that LDAP ports are all open. The Solaris 10 machine (ROLE_DOMAIN_MEMBER) and the PDC are on two different subnets.
We're hoping someone will recognize this behavior and reveal our mistake to us.
Or perhaps point out where we should check/debug/RTFM next.