ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001719ClearOSapp-openldap - OpenLDAP Driverpublic2014-05-27 05:112014-07-10 13:20
Assigned Touser2 
PrioritynormalSeveritymajorReproducibilityhave not tried
PlatformOSOS Version
Product Version6.5.0 
Target Version6.6.0 Beta 2Fixed in Version6.6.0 Beta 2 
Summary0001719: Changing directory server base domain causes authentication issues
DescriptionI changed my Base Domain in the Directory Server part of the webconfig and since then it appears that Samba is no longer able to authenticate with LDAP. Initially in /var/log/samba/log.winbindd-idmp I got:

[2014/05/26 17:12:29.450009, 1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config HOME
[2014/05/26 17:12:29.450879, 0] lib/smbldap.c:1225(smbldap_connect_system)
  failed to bind to server ldap:// [^] with dn="cn=manager,ou=Internal,dc=howitts,dc=lan" Error: Invalid credentials

then a repeating:

[2014/05/26 17:12:29.451119, 1] lib/smbldap.c:1409(another_ldap_try)
  Connection to LDAP server failed for the 1 try!

I then rebooted and now the following message repeats in /var/log/samba/log.winbindd-idmp:

[2014/05/27 11:26:24.844569, 0] winbindd/idmap_ldap.c:113(get_credentials)
  get_credentials: Unable to fetch auth credentials for cn=manager,ou=Internal,dc=howitts,dc=co,dc=uk in *
[2014/05/27 11:26:24.844620, 1] winbindd/idmap_ldap.c:501(idmap_ldap_db_init)
  idmap_ldap_db_init: Failed to get connection credentials (NT_STATUS_ACCESS_DENIED)
[2014/05/27 11:26:24.844666, 1] winbindd/idmap.c:249(idmap_init_domain)
  idmap initialization returned NT_STATUS_ACCESS_DENIED

/etc/samba/smb.winbind.conf appears to be set correctly (i.e it is like the old one but dc=lan now reads dc=co,dc=uk which is as I'd expect)
'ldapsearch -D "cn=manager,ou=Internal,dc=howitts,dc=co,dc=uk" -b "" objectclass=* -w PASSWORD' successfully runs.
Steps To ReproduceSorry but I daren't break my system any further!
TagsNo tags attached.
Attached Files

- Relationships
related to 0001727closeduser2 Changing directory server base domain breaks relationship between Samba and LDAP 

-  Notes
NickH (developer)
2014-05-27 05:20

Please append to the title "breaks relationship between Samba and LDAP"
NickH (developer)
2014-05-27 08:12

I appear to have fixed this by running either /usr/clearos/apps/samba/deploy/cleanup-ldap or /usr/clearos/apps/samba/deploy/cleanup-sids. I think this should be part of one of the clearsync events for the Directory Server Base Domain change.
2014-05-29 15:28

It looks like a timing issue. I caught the same problem in a test environment. The first section of the log below shows the LDAP system being re-initialized with the new domain. All good so far.

The second section of the log shows the "nslcd" package being restarted after the LDAP changes (nslcd is responsible for hooking Linux users/groups into LDAP). That's exactly what is supposed to happen, but the old domain is used and the connection fails with "invalid credentials". An nslcd restart (or reboot) clears up the issue.

Will fix.

==> /var/log/system <==
May 29 17:22:24 clear6 openldap: preparing system...
May 29 17:22:25 clear6 openldap: generating configuration...
May 29 17:22:25 clear6 openldap: importing data...
May 29 17:22:29 clear6 openldap: finished initialization

==> /var/log/messages <==
May 29 17:22:30 clear6 nslcd[28728]: caught signal SIGTERM (15), shutting down
May 29 17:22:30 clear6 nslcd[28728]: version 0.7.5 bailing out
May 29 17:22:30 clear6 nslcd[29492]: version 0.7.5 starting
May 29 17:22:30 clear6 nslcd[29492]: accepting connections
May 29 17:22:30 clear6 nslcd[29492]: [7b23c6] failed to bind to LDAP server ldap:// [^] Invalid credentials
2014-05-29 16:14

The 0001727 bug report (cloned) will deal with Samba-specific issues with a domain change. This report is intended for tracking the app-openldap changes.

- Issue History
Date Modified Username Field Change
2014-05-27 05:11 NickH New Issue
2014-05-27 05:20 NickH Note Added: 0001183
2014-05-27 07:41 user2 Status new => acknowledged
2014-05-27 08:12 NickH Note Added: 0001184
2014-05-29 15:28 user2 Note Added: 0001190
2014-05-29 16:11 user2 Issue cloned: 0001727
2014-05-29 16:11 user2 Relationship added related to 0001727
2014-05-29 16:11 user2 Category app-openldap-directory - Directory Server => app-openldap - OpenLDAP Driver
2014-05-29 16:14 user2 Note Added: 0001191
2014-05-29 16:14 user2 Status acknowledged => resolved
2014-05-29 16:14 user2 Fixed in Version => 6.6.0 Beta 2
2014-05-29 16:14 user2 Resolution open => fixed
2014-05-29 16:14 user2 Assigned To => user2
2014-05-29 16:15 user2 Summary Changing Directory Server Base Domain => Changing directory server base domain causes authentication issues
2014-05-29 16:16 user2 Target Version => 6.6.0 Beta 2
2014-07-10 13:20 user2 Status resolved => closed