The Samba-Bugzilla – Bug 6885
ldapsam doesn't honor port number
Last modified: 2009-11-18 10:17:41 UTC
We run our ldap master instance on an alternate port number. Thus, we have our samba PDC reference the master instance, so it can perform writes. Unfortunately, I can't seem to get samba to recognize the alternate port number. According to the documentation, I should be able to use something of the form:
passdb backend = ldapsam:uri[:port]
so something of the form:
passdb backend = ldapsam:ldap://master:9999
should work. When I try this, I see entries similar to:
[2009/11/10 15:39:32, 0] lib/smbldap.c:656(smb_ldap_start_tls)
Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/11/10 15:39:32, 1] lib/smbldap.c:1231(another_ldap_try)
Connection to LDAP server failed for the 1 try!
in the log. Furthermore, doesn't actually generate any network traffic as though it were even attempting a bind. If I remove the port number, the server can bind just fine, but we can't make updates. I've tried pointing our PDC to the slave servers and adding a referral to the master server, but samba doesn't seem to be accepting the referral or is again running into port number problems.
I've tested this back to the 3.2 series of samba and the problem appears to be present there as well.
Please let me know if I'm missing something here or if there is anything I can do to help you debug the problem further.
can you please add a tcpdump sniff of that?
I could attach a tcpdump during the failure case, but it would just be an empty file. If I have
passdb backend = ldapsam:ldap://ldapmaster.cs.brown.edu:3890
defined in my smb.conf file, I see zero network traffic generated. However, if I change this to just
passdb backend = ldapsam:ldap://ldapmaster.cs.brown.edu
then I see network traffic. The latter actually fails, because it attempts a tls connection and the certificate is wrong. Our setup is a little funky, in that we run our master instance as a virtual service on top of one of our N slaves. This is the reason we need to bind to an alternate port.
I find it hard to believe that nobody else has experienced this, although I have no clue how many people would actually use an ldap server on an alternate port. Either this option is just plain broken or I'm doing something seriously dumb (not out of the question), although I'll be darned if I know what that is.
this used to work in 3.0.x, I just ckecked that this works, also in 3.4.3. You should look for other problems, samba itself is probably not the fault.
I should have mentioned this fact earlier, but I just remembered it. When I include an alternate port number in the configuration and samba reports being unable to bind to the LDAP server, I can successfully run "pdbedit -L" to view the results in the LDAP database. This stuck me as particular odd, as I would expect both portions of the samba tool chain to fail in a similar manner.
Does this provide any clue as to what might be happening?