Anonymous | Login | 2024-12-03 02:07 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0001719 | ClearOS | app-openldap - OpenLDAP Driver | public | 2014-05-27 05:11 | 2014-07-10 13:20 | ||||
Reporter | NickH | ||||||||
Assigned To | user2 | ||||||||
Priority | normal | Severity | major | Reproducibility | have not tried | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 6.5.0 | ||||||||
Target Version | 6.6.0 Beta 2 | Fixed in Version | 6.6.0 Beta 2 | ||||||
Summary | 0001719: Changing directory server base domain causes authentication issues | ||||||||
Description | I changed my Base Domain in the Directory Server part of the webconfig and since then it appears that Samba is no longer able to authenticate with LDAP. Initially in /var/log/samba/log.winbindd-idmp I got: [2014/05/26 17:12:29.450009, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config HOME [2014/05/26 17:12:29.450879, 0] lib/smbldap.c:1225(smbldap_connect_system) failed to bind to server ldap://127.0.0.1 [^] with dn="cn=manager,ou=Internal,dc=howitts,dc=lan" Error: Invalid credentials (unknown) then a repeating: [2014/05/26 17:12:29.451119, 1] lib/smbldap.c:1409(another_ldap_try) Connection to LDAP server failed for the 1 try! I then rebooted and now the following message repeats in /var/log/samba/log.winbindd-idmp: [2014/05/27 11:26:24.844569, 0] winbindd/idmap_ldap.c:113(get_credentials) get_credentials: Unable to fetch auth credentials for cn=manager,ou=Internal,dc=howitts,dc=co,dc=uk in * [2014/05/27 11:26:24.844620, 1] winbindd/idmap_ldap.c:501(idmap_ldap_db_init) idmap_ldap_db_init: Failed to get connection credentials (NT_STATUS_ACCESS_DENIED) [2014/05/27 11:26:24.844666, 1] winbindd/idmap.c:249(idmap_init_domain) idmap initialization returned NT_STATUS_ACCESS_DENIED /etc/samba/smb.winbind.conf appears to be set correctly (i.e it is like the old one but dc=lan now reads dc=co,dc=uk which is as I'd expect) 'ldapsearch -D "cn=manager,ou=Internal,dc=howitts,dc=co,dc=uk" -b "" objectclass=* -w PASSWORD' successfully runs. | ||||||||
Steps To Reproduce | Sorry but I daren't break my system any further! | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Relationships | ||||||
|
Notes | |
(0001183) NickH (developer) 2014-05-27 05:20 |
Please append to the title "breaks relationship between Samba and LDAP" |
(0001184) NickH (developer) 2014-05-27 08:12 |
I appear to have fixed this by running either /usr/clearos/apps/samba/deploy/cleanup-ldap or /usr/clearos/apps/samba/deploy/cleanup-sids. I think this should be part of one of the clearsync events for the Directory Server Base Domain change. |
(0001190) user2 2014-05-29 15:28 |
It looks like a timing issue. I caught the same problem in a test environment. The first section of the log below shows the LDAP system being re-initialized with the new domain. All good so far. The second section of the log shows the "nslcd" package being restarted after the LDAP changes (nslcd is responsible for hooking Linux users/groups into LDAP). That's exactly what is supposed to happen, but the old domain is used and the connection fails with "invalid credentials". An nslcd restart (or reboot) clears up the issue. Will fix. ==> /var/log/system <== May 29 17:22:24 clear6 openldap: preparing system... May 29 17:22:25 clear6 openldap: generating configuration... May 29 17:22:25 clear6 openldap: importing data... May 29 17:22:29 clear6 openldap: finished initialization ==> /var/log/messages <== May 29 17:22:30 clear6 nslcd[28728]: caught signal SIGTERM (15), shutting down May 29 17:22:30 clear6 nslcd[28728]: version 0.7.5 bailing out May 29 17:22:30 clear6 nslcd[29492]: version 0.7.5 starting May 29 17:22:30 clear6 nslcd[29492]: accepting connections May 29 17:22:30 clear6 nslcd[29492]: [7b23c6] failed to bind to LDAP server ldap://127.0.0.1/: [^] Invalid credentials |
(0001191) user2 2014-05-29 16:14 |
The 0001727 bug report (cloned) will deal with Samba-specific issues with a domain change. This report is intended for tracking the app-openldap changes. |
Issue History | |||
Date Modified | Username | Field | Change |
2014-05-27 05:11 | NickH | New Issue | |
2014-05-27 05:20 | NickH | Note Added: 0001183 | |
2014-05-27 07:41 | user2 | Status | new => acknowledged |
2014-05-27 08:12 | NickH | Note Added: 0001184 | |
2014-05-29 15:28 | user2 | Note Added: 0001190 | |
2014-05-29 16:11 | user2 | Issue cloned: 0001727 | |
2014-05-29 16:11 | user2 | Relationship added | related to 0001727 |
2014-05-29 16:11 | user2 | Category | app-openldap-directory - Directory Server => app-openldap - OpenLDAP Driver |
2014-05-29 16:14 | user2 | Note Added: 0001191 | |
2014-05-29 16:14 | user2 | Status | acknowledged => resolved |
2014-05-29 16:14 | user2 | Fixed in Version | => 6.6.0 Beta 2 |
2014-05-29 16:14 | user2 | Resolution | open => fixed |
2014-05-29 16:14 | user2 | Assigned To | => user2 |
2014-05-29 16:15 | user2 | Summary | Changing Directory Server Base Domain => Changing directory server base domain causes authentication issues |
2014-05-29 16:16 | user2 | Target Version | => 6.6.0 Beta 2 |
2014-07-10 13:20 | user2 | Status | resolved => closed |