Forums

Resolved
0 votes
I know, I can rename the Base Domain under "Server->Directory->Directory Server". The name is changed.
No Errors there. But afterwards samba wont start any more:
[2020/12/15 20:46:05.701288,  0] ../../source3/passdb/secrets.c:364(fetch_ldap_pw)
fetch_ldap_pw: neither ldap secret retrieved!
[2020/12/15 20:46:05.701333, 0] ../../source3/passdb/pdb_ldap.c:6579(pdb_init_ldapsam_common)
pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb
[2020/12/15 20:46:05.701348, 0] ../../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldap://127.0.0.1 did not correctly init (error was NT_STATUS_NO_MEMORY)


I think the certificates are broken. I can rename it back and everything is alright again.
Is there a way to re-create the certificates?
Wednesday, December 16 2020, 09:27 AM
Share this post:
Responses (5)
  • Accepted Answer

    Friday, December 18 2020, 11:57 AM - #Permalink
    Resolved
    0 votes
    Renaming my home system did also work. But! after every reboot I had to restart slapd and smb.
    So: don't rename the LDAP Base Domain ;)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, December 17 2020, 12:24 PM - #Permalink
    Resolved
    0 votes
    I finished the test.
    Installed a ClearOS Server with samba, openvpn, ssh, webserver.
    Rename the Server+Domain, rename LDAP Base Domain, recreate the certificates.
    Samba stopped working
    I copied the new certificates from /etc/pki/CA to /etc/openldap/certs with the result, that slapd wouldn't
    start anymore. So I restored the original certs and renamed the Base Domain back. Samba starts again.
    (ssh, openvpn (after resetting the user certifcate) and webserver still fully functional)

    Then I remembered that i did rename the Base Domain first an afterward recreated the certs.
    So I thing, give it a try and did change the Base Domain again....now everything works!
    Maybe I just got lucky. Or maybe resetting the user certificate did something...I don't know.
    I will give my home server another try and see what happens.

    On the bottom line: I seems it it doable. But I think that webconfig should either make the Base Domain
    read only or give me a warning or should rename the Base Domain correctly....
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 16 2020, 01:45 PM - #Permalink
    Resolved
    0 votes
    I could not agree more, especially as I bumped into the issue with 6.x. From memory I lost Samba, cyrus-imap and, perhaps, openvpn. The bugs are all linked on the old tracker but I am not sure where they are on the new tracker. A few weeks ago a customer had the same problem and Kopano wouldn't work. I couldn't figure it out in the time avaulable and did a configuration restore to fix it.

    I have a feeling it is not a certificate issue but an LDAP credentials issue as the dn probably changes. As an example, look in /etc/samba/smb.ldap.conf. I suspect the "ldap admin dn", "ldap suffix" and "ldap user suffix" need updating. The same would go for any app which has these fields or something similar. If that is the case, try a "grep dc=your_base_name /etc/* -r" and substitute your_base_name for part of your LDAP DN.

    For the certificate deletion, view your CA and hit regenerate. Unfortunately there is no way of regenerating the system certificate on its own (and we need to for other reasons .......)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 16 2020, 12:39 PM - #Permalink
    Resolved
    0 votes
    Ok. Thanks for the warning. I will install a fresh test system to try things out.
    If the tests will give me any trouble I will leave my Base Domains as they are ;)
    (It is a cosmetic change anyway)
    Would be nice tough, if webconfig would warn me when I try something terrible stupid ;)

    And how do I regenerate the certificates in the Certificate Manger? I only see "View" and "Add"!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 16 2020, 12:06 PM - #Permalink
    Resolved
    0 votes
    Changing the directory base name fills me with fear. I did it years ago with 6.x and thought I'd lost the system. I managed to get it back. Some of it is in the old issue tracker but that is down at the moment and I have no hours to try to get it sorted.

    You can regenerate your CA certificate from the Certificate Manager. This will also force the regeneration of your system certificate. WHat it will not do, I thing, is then deploy it. For LDAP, I believe they go in /etc/openldap/certs, but the certs are used in all sorts of different places.

    You would also then need to regenerate all user OpenVPN certificates, if you use them.

    I seem to remember that a I sixed some things by running the deploy/update or deploy/install of a couple of apps (eg /usr/clearos/apps/samba/deploy) but I can't remember which apps I did that for. Also a reboot fixed some things but not all. I'd need to get to the issue tracker.
    The reply is currently minimized Show
Your Reply