Bug 6885 - ldapsam doesn't honor port number
Summary: ldapsam doesn't honor port number
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.4.3
Hardware: x64 Linux
: P3 major
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-11-10 14:43 UTC by Mark Dieterich
Modified: 2009-11-18 10:17 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Mark Dieterich 2009-11-10 14:43:17 UTC
We run our ldap master instance on an alternate port number.  Thus, we have our samba PDC reference the master instance, so it can perform writes.  Unfortunately, I can't seem to get samba to recognize the alternate port number.  According to the documentation, I should be able to use something of the form:

passdb backend = ldapsam:uri[:port]

so something of the form:

passdb backend = ldapsam:ldap://master:9999

should work.  When I try this, I see entries similar to:

[2009/11/10 15:39:32,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Can't contact LDAP server
[2009/11/10 15:39:32,  1] lib/smbldap.c:1231(another_ldap_try)
  Connection to LDAP server failed for the 1 try!

in the log.  Furthermore, doesn't actually generate any network traffic as though it were even attempting a bind.  If I remove the port number, the server can bind just fine, but we can't make updates.  I've tried pointing our PDC to the slave servers and adding a referral to the master server, but samba doesn't seem to be accepting the referral or is again running into port number problems.

I've tested this back to the 3.2 series of samba and the problem appears to be present there as well.

Please let me know if I'm missing something here or if there is anything I can do to help you debug the problem further.


Comment 1 Björn Jacke 2009-11-11 03:28:57 UTC
can you please add a tcpdump sniff of that?
Comment 2 Mark Dieterich 2009-11-12 14:15:35 UTC
I could attach a tcpdump during the failure case, but it would just be an empty file.  If I have

  passdb backend = ldapsam:ldap://ldapmaster.cs.brown.edu:3890

defined in my smb.conf file, I see zero network traffic generated.  However, if I change this to just

  passdb backend = ldapsam:ldap://ldapmaster.cs.brown.edu

then I see network traffic.  The latter actually fails, because it attempts a tls connection and the certificate is wrong.  Our setup is a little funky, in that we run our master instance as a virtual service on top of one of our N slaves.  This is the reason we need to bind to an alternate port.

I find it hard to believe that nobody else has experienced this, although I have no clue how many people would actually use an ldap server on an alternate port.  Either this option is just plain broken or I'm doing something seriously dumb (not out of the question), although I'll be darned if I know what that is.



Comment 3 Björn Jacke 2009-11-18 07:06:45 UTC
this used to work in 3.0.x, I just ckecked that this works, also in 3.4.3. You should look for other problems, samba itself is probably not the fault.
Comment 4 Mark Dieterich 2009-11-18 10:17:41 UTC
I should have mentioned this fact earlier, but I just remembered it.  When I include an alternate port number in the configuration and samba reports being unable to bind to the LDAP server, I can successfully run "pdbedit -L" to view the results in the LDAP database.  This stuck me as particular odd, as I would expect both portions of the samba tool chain to fail in a similar manner.

Does this provide any clue as to what might be happening?