Bug 663485

Summary: Failed to issue the StartTLS instruction: Connect error
Product: [Fedora] Fedora Reporter: Zoran Pericic <zpericic>
Component: openldapAssignee: Guenther Deschner <gdeschner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: bbuesker, gdeschner, jvcelak, mike, rmeggins, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-19 01:51:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Samba log with ldap debug level = -1 and some debug patches.
none
Tempoary patch to enahance tls_m.c debbuging.
none
Tempoary patch to enhance samba-ldap debugging none

Description Zoran Pericic 2010-12-15 22:36:53 UTC 
Description of problem:
Samba BDC can't connect to existing OpenLDAP with TLS when clients try to connect to samba. In main log (/var/log/samba/log.smb) I could see that samba could connect to server and it could retrieve info. Also pdbedit tool works correctly. But when client try to connect I get: "Failed to issue the StartTLS instruction: Connect error"

On pre FC14 samba can connect correctly, but with FC14 it always fail. 

I'am using existing self-signed CA generated with OpenSSL and server signed with that CA. OpenLDAP is configured with thease certificates and it's working. nss_ldap and pam_ldap are working on all systems. All certificates are valid and has not expired. ldapsearch and other ldap clients works ok.


Version-Release number of selected component (if applicable):
samba-3.5.6-71.fc14.i686
nss-3.12.8-2.fc14.i686
openldap-2.4.23-4.fc14.i686
nspr-4.8.6-1.fc14.i686

How reproducible:
Configure samba as BDC to connect to OpenLDAP server using Start TLS/SSL.


Steps to Reproduce:
1. Configure Samba to use OpenLDAP 
	passdb backend = ldapsam:ldap://server
	ldap admin dn = cn=Manager,dc=st
	ldap suffix = dc=st
        ldap ssl = start tls
        log level = 10
        ldap debug level = -1
        ...
2. Start nmb and smb services.
3. smbclient -L server

  
Actual results:

/var/log/samba/log.__ffff_192.168.122.1
[2010/12/15 22:42:44.538754,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS: error: connect - force handshake failure: errno 0 - moznss error -8023
[2010/12/15 22:42:44.538780,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS: can't connect: .
[2010/12/15 22:42:44.538815,  0] lib/smbldap.c:731(smb_ldap_start_tls)
[2010/12/15 22:42:44.538832,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] ldap_err2string
  Failed to issue the StartTLS instruction: Connect error
[2010/12/15 22:42:44.538856,  1] lib/smbldap.c:1330(another_ldap_try)
  Connection to LDAP server failed for the 1 try!

/var/log/samba/log.smb
[2010/12/15 22:42:21.422002,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS: loaded CA certificate file /etc/pki/tls/certs/adf86755.0 from CA certificate directory /etc/pki/tls/certs.
[2010/12/15 22:42:21.424472,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS certificate verification: defer
[2010/12/15 22:42:21.436402,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS certificate verification: subject: E=....... cipher: AES-256, [LDAP] security level: high, secret key bits: 256, total key bits: 256, [LDAP] cache hits: 0, cache misses: 0, cache not reusable: 0
[2010/12/15 22:42:21.436441,  3] lib/smbldap.c:735(smb_ldap_start_tls)
  StartTLS issued: using a TLS connection
[2010/12/15 22:42:21.436456,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened


Expected results:
Samba should connect to server and retrieve accounts.


Additional info:
/etc/openldap/ldap.conf
URI ldap://quad.znjan.st ldap://znjan.st
BASE dc=mydomain
TLS_CACERTDIR /etc/pki/tls/certs
TLS_REQCERT never

ls -l /etc/pki/tls/certs
total 1228
lrwxrwxrwx 1 root root     10 2010-12-15 23:20 adf86755.0 -> cacert.pem
-rw-r--r-- 1 root root 578465 2010-04-07 11:40 ca-bundle.crt
-rw-r--r-- 1 root root 658225 2010-04-07 11:40 ca-bundle.trust.crt
-rw-r--r-- 1 root root   4379 2009-12-19 04:34 cacert.pem
Comment 1 Zoran Pericic 2010-12-26 19:28:22 UTC 
This seams to be libldap-moznss problem. 

When client connect, samba create new proces and then libldap could not find any CA cert in tls context.
Comment 2 Zoran Pericic 2010-12-26 19:35:01 UTC 
Created attachment 470749 [details]
Samba log with ldap debug level = -1 and some debug patches.

Samba log with ldap debug level = -1 and some debug patches.
Comment 3 Zoran Pericic 2010-12-26 19:36:49 UTC 
Created attachment 470750 [details]
Tempoary patch to enahance tls_m.c debbuging.

Tempoary patch to enahance tls_m.c debbuging used to create log
Comment 4 Zoran Pericic 2010-12-26 19:37:31 UTC 
Created attachment 470751 [details]
Tempoary patch to enhance samba-ldap debugging
Comment 5 Rich Megginson 2011-01-04 16:28:53 UTC 
I believe this is the same problem as https://bugzilla.redhat.com/show_bug.cgi?id=636956 - does samba call fork()?

There is a workaround - https://bugzilla.redhat.com/show_bug.cgi?id=636956#c36
Comment 6 Zoran Pericic 2011-01-05 16:06:59 UTC 
Yes it is. Thanks.

Adding "export NSS_STRICT_NOFORK=DISABLED" to init scripts solve it.
Comment 7 Michael Cronenworth 2011-01-19 01:51:33 UTC 
(In reply to comment #5)
> There is a workaround - https://bugzilla.redhat.com/show_bug.cgi?id=636956#c36

WOoooooooo thank you. I was about to tear my hair out after an hour of not knowing what the problem was. (Fedora 13->14 server upgrade)

Closing a few dupes.

*** This bug has been marked as a duplicate of bug 636956 ***