Bug 663485 - Failed to issue the StartTLS instruction: Connect error
Summary: Failed to issue the StartTLS instruction: Connect error
Keywords:
Status: CLOSED DUPLICATE of bug 636956
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 14
Hardware: i686
OS: Linux
low
medium
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-15 22:36 UTC by Zoran Pericic
Modified: 2011-01-19 01:51 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-01-19 01:51:33 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Samba log with ldap debug level = -1 and some debug patches. (8.16 KB, text/x-log)
2010-12-26 19:35 UTC, Zoran Pericic 		no flags Details
Tempoary patch to enahance tls_m.c debbuging. (5.69 KB, patch)
2010-12-26 19:36 UTC, Zoran Pericic 		no flags Details | Diff
Tempoary patch to enhance samba-ldap debugging (1.14 KB, patch)
2010-12-26 19:37 UTC, Zoran Pericic 		no flags Details | Diff
View All

Description Zoran Pericic 2010-12-15 22:36:53 UTC 
Description of problem:
Samba BDC can't connect to existing OpenLDAP with TLS when clients try to connect to samba. In main log (/var/log/samba/log.smb) I could see that samba could connect to server and it could retrieve info. Also pdbedit tool works correctly. But when client try to connect I get: "Failed to issue the StartTLS instruction: Connect error"

On pre FC14 samba can connect correctly, but with FC14 it always fail. 

I'am using existing self-signed CA generated with OpenSSL and server signed with that CA. OpenLDAP is configured with thease certificates and it's working. nss_ldap and pam_ldap are working on all systems. All certificates are valid and has not expired. ldapsearch and other ldap clients works ok.


Version-Release number of selected component (if applicable):
samba-3.5.6-71.fc14.i686
nss-3.12.8-2.fc14.i686
openldap-2.4.23-4.fc14.i686
nspr-4.8.6-1.fc14.i686

How reproducible:
Configure samba as BDC to connect to OpenLDAP server using Start TLS/SSL.


Steps to Reproduce:
1. Configure Samba to use OpenLDAP 
	passdb backend = ldapsam:ldap://server
	ldap admin dn = cn=Manager,dc=st
	ldap suffix = dc=st
        ldap ssl = start tls
        log level = 10
        ldap debug level = -1
        ...
2. Start nmb and smb services.
3. smbclient -L server

  
Actual results:

/var/log/samba/log.__ffff_192.168.122.1
[2010/12/15 22:42:44.538754,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS: error: connect - force handshake failure: errno 0 - moznss error -8023
[2010/12/15 22:42:44.538780,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS: can't connect: .
[2010/12/15 22:42:44.538815,  0] lib/smbldap.c:731(smb_ldap_start_tls)
[2010/12/15 22:42:44.538832,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] ldap_err2string
  Failed to issue the StartTLS instruction: Connect error
[2010/12/15 22:42:44.538856,  1] lib/smbldap.c:1330(another_ldap_try)
  Connection to LDAP server failed for the 1 try!

/var/log/samba/log.smb
[2010/12/15 22:42:21.422002,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS: loaded CA certificate file /etc/pki/tls/certs/adf86755.0 from CA certificate directory /etc/pki/tls/certs.
[2010/12/15 22:42:21.424472,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS certificate verification: defer
[2010/12/15 22:42:21.436402,  1] lib/ldap_debug_handler.c:25(samba_ldap_log_print_fn)
  [LDAP] TLS certificate verification: subject: E=....... cipher: AES-256, [LDAP] security level: high, secret key bits: 256, total key bits: 256, [LDAP] cache hits: 0, cache misses: 0, cache not reusable: 0
[2010/12/15 22:42:21.436441,  3] lib/smbldap.c:735(smb_ldap_start_tls)
  StartTLS issued: using a TLS connection
[2010/12/15 22:42:21.436456,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened


Expected results:
Samba should connect to server and retrieve accounts.


Additional info:
/etc/openldap/ldap.conf
URI ldap://quad.znjan.st ldap://znjan.st
BASE dc=mydomain
TLS_CACERTDIR /etc/pki/tls/certs
TLS_REQCERT never

ls -l /etc/pki/tls/certs
total 1228
lrwxrwxrwx 1 root root     10 2010-12-15 23:20 adf86755.0 -> cacert.pem
-rw-r--r-- 1 root root 578465 2010-04-07 11:40 ca-bundle.crt
-rw-r--r-- 1 root root 658225 2010-04-07 11:40 ca-bundle.trust.crt
-rw-r--r-- 1 root root   4379 2009-12-19 04:34 cacert.pem
Comment 1 Zoran Pericic 2010-12-26 19:28:22 UTC 
This seams to be libldap-moznss problem. 

When client connect, samba create new proces and then libldap could not find any CA cert in tls context.
Comment 2 Zoran Pericic 2010-12-26 19:35:01 UTC 
Created attachment 470749 [details]
Samba log with ldap debug level = -1 and some debug patches.

Samba log with ldap debug level = -1 and some debug patches.
Comment 3 Zoran Pericic 2010-12-26 19:36:49 UTC 
Created attachment 470750 [details]
Tempoary patch to enahance tls_m.c debbuging.

Tempoary patch to enahance tls_m.c debbuging used to create log
Comment 4 Zoran Pericic 2010-12-26 19:37:31 UTC 
Created attachment 470751 [details]
Tempoary patch to enhance samba-ldap debugging
Comment 5 Rich Megginson 2011-01-04 16:28:53 UTC 
I believe this is the same problem as https://bugzilla.redhat.com/show_bug.cgi?id=636956 - does samba call fork()?

There is a workaround - https://bugzilla.redhat.com/show_bug.cgi?id=636956#c36
Comment 6 Zoran Pericic 2011-01-05 16:06:59 UTC 
Yes it is. Thanks.

Adding "export NSS_STRICT_NOFORK=DISABLED" to init scripts solve it.
Comment 7 Michael Cronenworth 2011-01-19 01:51:33 UTC 
(In reply to comment #5)
> There is a workaround - https://bugzilla.redhat.com/show_bug.cgi?id=636956#c36

WOoooooooo thank you. I was about to tear my hair out after an hour of not knowing what the problem was. (Fedora 13->14 server upgrade)

Closing a few dupes.

*** This bug has been marked as a duplicate of bug 636956 ***
Note You need to log in before you can comment on or make changes to this bug.