From nobody@FreeBSD.org  Sun Feb  9 06:26:54 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 6A92ABA3
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  9 Feb 2014 06:26:54 +0000 (UTC)
Received: from newred.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 38C3118B7
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  9 Feb 2014 06:26:54 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by newred.freebsd.org (8.14.7/8.14.7) with ESMTP id s196Qrwv039916
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 9 Feb 2014 06:26:53 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.7/8.14.7/Submit) id s196Qrdu039893;
	Sun, 9 Feb 2014 06:26:53 GMT
	(envelope-from nobody)
Message-Id: <201402090626.s196Qrdu039893@cgiserv.freebsd.org>
Date: Sun, 9 Feb 2014 06:26:53 GMT
From: Dan Burkland <dburklan@me.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Start of Samba results in "nss_ldap: could not search LDAP server" errors
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         186575
>Category:       ports
>Synopsis:       net/samba41: Start of Samba results in "nss_ldap: could not search LDAP server" errors
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    timur
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 09 06:30:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Tue Mar  4 02:30:00 UTC 2014
>Originator:     Dan Burkland
>Release:        10.0 P0 RELEASE
>Organization:
>Environment:
FreeBSD srv06 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
I have recently upgraded my FreeBSD file server from 9.1 to 10.0 and have run into an interesting issue. I have configured this system via "/etc/nsswitch" to utilize my OpenLDAP server for "passwdb" & "group" NSS lookups. The system is configured to talk to the OpenLDAP over TLS and basic things like "getent passwd" & "getent group" work fine and do not result in any errors on the LDAP or FreeBSD servers. When I start Samba however (regardless if it is 3.6, 4.0, or 4.1) I notice the following error messages appear in my OpenLDAP server's logs:

Feb  9 00:10:09 srv01 slapd[51720]: conn=2054 fd=43 ACCEPT from IP=10.0.0.15:30785 (IP=0.0.0.0:389)
Feb  9 00:10:09 srv01 slapd[51720]: conn=2054 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Feb  9 00:10:09 srv01 slapd[51720]: conn=2054 op=0 STARTTLS
Feb  9 00:10:09 srv01 slapd[51720]: conn=2054 op=0 RESULT oid= err=0 text=
Feb  9 00:10:09 srv01 slapd[51720]: conn=2054 fd=43 closed (TLS negotiation failure)

If I try to connect to the Samba server from a client or run a samba-related command such as "smbpasswd -a <username>" they hang until I kill them. At that point I notice the following error message appear in "/var/log/messages" on the FreeBSD file server:

Feb  9 00:11:56 srv06 smbd[97896]: nss_ldap: could not search LDAP server - Server is unavailable

This configuration worked just fine in FreeBSD 9.1 so I'm not sure what changed in 10 to prevent this from working properly. As demonstrated previously TLS + LDAP is working properly as confirmed by the "getent passwd" command and OpenLDAP server logs (which indicate a clean TLS connection).

Please see the following tar file which should contain all of the necessary files:

https://www.dropbox.com/s/2eclhl1k5l2jaxr/FreeBSD_Samba_Problem_Report_Files_20140209.tar.gz

If you need any further information from me please shoot me an email.

Thanks!

Dan
>How-To-Repeat:
* Start/stop the "samba_server" service

Or

* Try to connect to the Samba fileshare from a client server


>Fix:
If I replace the following lines:

group: files ldap
passwd: files ldap

With

group: files
passwd: files

Samba then operates correctly and related commands such as "pdbedit -L -u <username>" work just fine. 

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Mon Feb 10 05:01:50 UTC 2014 
State-Changed-Why:  
to which version of the port does this PR apply? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=186575 
State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Sun Feb 16 23:38:03 UTC 2014 
State-Changed-Why:  
feedback received. 


Responsible-Changed-From-To: freebsd-ports-bugs->timur 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Feb 16 23:38:03 UTC 2014 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=186575 

From: Mark Linimon <linimon@lonesome.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/186575: Start of Samba results in "nss_ldap: could not
 search LDAP server" errors
Date: Mon, 3 Mar 2014 20:27:56 -0600

 ----- Forwarded message from Dan Burkland <dburklan@me.com> -----
 
 Date: Sun, 09 Feb 2014 23:13:15 -0600
 From: Dan Burkland <dburklan@me.com>
 To: linimon@FreeBSD.org
 Cc: freebsd-ports-bugs@FreeBSD.org
 Subject: Re: ports/186575: Start of Samba results in "nss_ldap: could not search LDAP server" errors
 X-Mailer: Apple Mail (2.1827)
 
 I receive these errors when I’m using the latest rev of the Samba36, Samba40, and Samba41 ports however I currently have the following version of the “Samba41” port installed:
 
 samba41-4.1.4_1
 
 If you have any more questions let me know.
 
 Thanks!
 
 Dan
 
 ----- End forwarded message -----
>Unformatted:
