ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001719ClearOSapp-openldap - OpenLDAP Driverpublic2014-05-27 05:112014-07-10 13:20
ReporterNickH 
Assigned Touser2 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version6.5.0 
Target Version6.6.0 Beta 2Fixed in Version6.6.0 Beta 2 
Summary0001719: Changing directory server base domain causes authentication issues
DescriptionI changed my Base Domain in the Directory Server part of the webconfig and since then it appears that Samba is no longer able to authenticate with LDAP. Initially in /var/log/samba/log.winbindd-idmp I got:

[2014/05/26 17:12:29.450009, 1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config HOME
[2014/05/26 17:12:29.450879, 0] lib/smbldap.c:1225(smbldap_connect_system)
  failed to bind to server ldap://127.0.0.1 [^] with dn="cn=manager,ou=Internal,dc=howitts,dc=lan" Error: Invalid credentials
      (unknown)

then a repeating:

[2014/05/26 17:12:29.451119, 1] lib/smbldap.c:1409(another_ldap_try)
  Connection to LDAP server failed for the 1 try!

I then rebooted and now the following message repeats in /var/log/samba/log.winbindd-idmp:

[2014/05/27 11:26:24.844569, 0] winbindd/idmap_ldap.c:113(get_credentials)
  get_credentials: Unable to fetch auth credentials for cn=manager,ou=Internal,dc=howitts,dc=co,dc=uk in *
[2014/05/27 11:26:24.844620, 1] winbindd/idmap_ldap.c:501(idmap_ldap_db_init)
  idmap_ldap_db_init: Failed to get connection credentials (NT_STATUS_ACCESS_DENIED)
[2014/05/27 11:26:24.844666, 1] winbindd/idmap.c:249(idmap_init_domain)
  idmap initialization returned NT_STATUS_ACCESS_DENIED

/etc/samba/smb.winbind.conf appears to be set correctly (i.e it is like the old one but dc=lan now reads dc=co,dc=uk which is as I'd expect)
'ldapsearch -D "cn=manager,ou=Internal,dc=howitts,dc=co,dc=uk" -b "" objectclass=* -w PASSWORD' successfully runs.
Steps To ReproduceSorry but I daren't break my system any further!
Additional Information
TagsNo tags attached.
Relationships
related to 0001727closed user2 Changing directory server base domain breaks relationship between Samba and LDAP 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2014-05-27 05:11NickHNew Issue
2014-05-27 05:20NickHNote Added: 0001183
2014-05-27 07:41user2Statusnew => acknowledged
2014-05-27 08:12NickHNote Added: 0001184
2014-05-29 15:28user2Note Added: 0001190
2014-05-29 16:11user2Issue cloned: 0001727
2014-05-29 16:11user2Relationship addedrelated to 0001727
2014-05-29 16:11user2Categoryapp-openldap-directory - Directory Server => app-openldap - OpenLDAP Driver
2014-05-29 16:14user2Note Added: 0001191
2014-05-29 16:14user2Statusacknowledged => resolved
2014-05-29 16:14user2Fixed in Version => 6.6.0 Beta 2
2014-05-29 16:14user2Resolutionopen => fixed
2014-05-29 16:14user2Assigned To => user2
2014-05-29 16:15user2SummaryChanging Directory Server Base Domain => Changing directory server base domain causes authentication issues
2014-05-29 16:16user2Target Version => 6.6.0 Beta 2
2014-07-10 13:20user2Statusresolved => closed

Notes
(0001183)
NickH   
2014-05-27 05:20   
Please append to the title "breaks relationship between Samba and LDAP"
(0001184)
NickH   
2014-05-27 08:12   
I appear to have fixed this by running either /usr/clearos/apps/samba/deploy/cleanup-ldap or /usr/clearos/apps/samba/deploy/cleanup-sids. I think this should be part of one of the clearsync events for the Directory Server Base Domain change.
(0001190)
user2   
2014-05-29 15:28   
It looks like a timing issue. I caught the same problem in a test environment. The first section of the log below shows the LDAP system being re-initialized with the new domain. All good so far.

The second section of the log shows the "nslcd" package being restarted after the LDAP changes (nslcd is responsible for hooking Linux users/groups into LDAP). That's exactly what is supposed to happen, but the old domain is used and the connection fails with "invalid credentials". An nslcd restart (or reboot) clears up the issue.

Will fix.

==> /var/log/system <==
May 29 17:22:24 clear6 openldap: preparing system...
May 29 17:22:25 clear6 openldap: generating configuration...
May 29 17:22:25 clear6 openldap: importing data...
May 29 17:22:29 clear6 openldap: finished initialization

==> /var/log/messages <==
May 29 17:22:30 clear6 nslcd[28728]: caught signal SIGTERM (15), shutting down
May 29 17:22:30 clear6 nslcd[28728]: version 0.7.5 bailing out
May 29 17:22:30 clear6 nslcd[29492]: version 0.7.5 starting
May 29 17:22:30 clear6 nslcd[29492]: accepting connections
May 29 17:22:30 clear6 nslcd[29492]: [7b23c6] failed to bind to LDAP server ldap://127.0.0.1/: [^] Invalid credentials
(0001191)
user2   
2014-05-29 16:14   
The 0001727 bug report (cloned) will deal with Samba-specific issues with a domain change. This report is intended for tracking the app-openldap changes.