Bug 669900

Summary: smbd (child) can't connect to ldap using tls (but smdb parent can)
Product: [Fedora] Fedora Reporter: Ed van Gasteren <ed>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: gdeschner, jlayton, mike, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-19 01:50:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ed van Gasteren 2011-01-15 16:41:20 UTC 
Description of problem:

I try to list the shares on a samba server. Instead of a list of the shares I get a timeout.

Version-Release number of selected component (if applicable):
samba-*3.5.6-71.fc14.i686

How reproducible:
Every time. Tried from the server and a different linux client. From a windows, iMac or android phone client results are the same.

Steps to Reproduce:
$ smbclient  -L lt2
Enter ********'s password: 
  
Actual results:
Receiving SMB: Server stopped responding
session setup failed: Call timed out: server did not respond after 20000 milliseconds

Expected results:
A list of the shares on the server.

Additional info:
I recently upgraded (fresh install) the server from Fedora 11 --> 14. On Fedora 11 it worked fine. On Fedora 14 it fails.

This server is both a samba and an (open)ldap server. The two talk to each other over ssl (at least they did in the Fedora 11 days, but no longer now with Fedora 14). All the other ldap and ssl stuff between my clients an server seems to work.

After some debugging of samba and ldap it appeared that on the server smbd has difficulty connecting to the ldap server. That appears to be the case for the child smdb that runs for the client. The parent smdb doesn't have the problem.

# grep LDAP log.smbd
---
  [LDAP] ldap_create
  [LDAP] ldap_url_parse_ext(ldaps://ldap-p.vangasteren.nl)
  [LDAP] ldap_simple_bind_s
  [LDAP] ldap_sasl_bind_s
  [LDAP] ldap_sasl_bind
  [LDAP] ldap_send_initial_request
  [LDAP] ldap_new_connection 1 1 0
  [LDAP] ldap_int_open_connection
  [LDAP] ldap_connect_to_host: TCP ldap-p.vangasteren.nl:636
  [LDAP] ldap_new_socket: 10
  [LDAP] ldap_prepare_socket: 10
  [LDAP] ldap_connect_to_host: Trying 192.168.0.200:636
  [LDAP] ldap_pvt_connect: fd: 10 tm: -1 async: 0
  [LDAP] TLS: loaded CA certificate file ...
  [LDAP] TLS: loaded CA certificate file ...
...
  [LDAP] TLS certificate verification: defer
  [LDAP] TLS certificate verification: subject: ...
...
  [LDAP] ldap_open_defconn: successful
  [LDAP] ldap_send_server_request
---

# grep LDAP log.lt2
---
  [LDAP] ldap_unbind
  [LDAP] ldap_free_connection 1 1
  [LDAP] ldap_send_unbind
  [LDAP] ldap_free_connection: actually freed
  [LDAP] ldap_create
  [LDAP] ldap_url_parse_ext(ldaps://ldap-p.vangasteren.nl)
  [LDAP] ldap_simple_bind_s
  [LDAP] ldap_sasl_bind_s
  [LDAP] ldap_sasl_bind
  [LDAP] ldap_send_initial_request
  [LDAP] ldap_new_connection 1 1 0
  [LDAP] ldap_int_open_connection
  [LDAP] ldap_connect_to_host: TCP ldap-p.vangasteren.nl:636
  [LDAP] ldap_new_socket: 10
  [LDAP] ldap_prepare_socket: 10
  [LDAP] ldap_connect_to_host: Trying 192.168.0.200:636
  [LDAP] ldap_pvt_connect: fd: 10 tm: -1 async: 0
  [LDAP] TLS: error: connect - force handshake failure: errno 0 - moznss error -8023
  [LDAP] TLS: can't connect: .
---
Comment 1 Michael Cronenworth 2011-01-19 01:50:48 UTC 
There is a workaround - https://bugzilla.redhat.com/show_bug.cgi?id=636956#c36

*** This bug has been marked as a duplicate of bug 636956 ***