Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] can't connect ldapsearch with samba 4
4,645 views
Skip to first unread message
Trenta sis
Jun 17, 2016, 10:30:04 AM6/17/16
to
Hi,
I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"
I have tested authentication with ssl from an external application and work
OK and seems correctly configured
I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...
how can I query samba 4 AD ldap with ldapsearch?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"
I have tested authentication with ssl from an external application and work
OK and seems correctly configured
I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...
how can I query samba 4 AD ldap with ldapsearch?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mj
Jun 18, 2016, 6:20:03 AM6/18/16
to
Hi
> how can I query samba 4 AD ldap with ldapsearch?
Just don't use ldaps://, instead use Kerberos (-k yes):
kinit administrator
ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes
I know it seems strange, but direct encryption with Kerberos is more
secure than LDAP over SSL/TLS. Therefore, we only accept simple binds
over ldaps:// by default, or:
ldap server require strong auth = no
Hope that helps,
MJ
> how can I query samba 4 AD ldap with ldapsearch?
kinit administrator
ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes
I know it seems strange, but direct encryption with Kerberos is more
secure than LDAP over SSL/TLS. Therefore, we only accept simple binds
over ldaps:// by default, or:
ldap server require strong auth = no
Hope that helps,
MJ
Trenta sis
Jun 19, 2016, 1:10:03 PM6/19/16
to
Hi,
First of all thans for you answer.
I have tried but is not working, we receive:
# kinit administrator
Password for admini...@DOM.COM:
Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12
PM CEST
# ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null)
Failed to connect to ldap://debian8DC1 - (null)
It is possible to keep same or similar configuration used with samba 3 +
openldap to make querys to ldap, we have many scripts using ldapsearch...
It is possible keep scripts using ldapsearch?
Thanks
First of all thans for you answer.
I have tried but is not working, we receive:
# kinit administrator
Password for admini...@DOM.COM:
Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12
PM CEST
# ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null)
Failed to connect to ldap://debian8DC1 - (null)
It is possible to keep same or similar configuration used with samba 3 +
openldap to make querys to ldap, we have many scripts using ldapsearch...
It is possible keep scripts using ldapsearch?
Thanks
Achim Gottinger
Jun 19, 2016, 1:50:03 PM6/19/16
to
On my side i neede
TLS_REQCERT allow
in /etc/ldap.conf to get ldaps working.
To use unencrypted connections add
ldap server require strong auth = no
To the global section of smb.conf.
achim~
TLS_REQCERT allow
in /etc/ldap.conf to get ldaps working.
To use unencrypted connections add
ldap server require strong auth = no
achim~
Rowland penny
Jun 19, 2016, 2:20:03 PM6/19/16
to
Administrator, then run this:
rowland@devstation:~$ ldbsearch -H ldap://dc1 -b
"dc=samdom,dc=example,dc=com" -s sub '(samaccountname=Administrator)' -k yes
I get this:
# record 1
dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20151106115615.0Z
uSNCreated: 3545
name: Administrator
objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 130912845750000000
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
adminCount: 1
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
om
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
memberOf: CN=Group Policy Creator
Owners,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
userAccountControl: 66048
accountExpires: 0
lastLogonTimestamp: 131107485215380620
whenChanged: 20160618183521.0Z
uSNChanged: 228749
lastLogon: 131108323871862570
distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
# Referral
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
# Referral
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
# returned 4 records
# 1 entries
# 3 referrals
So you see it does work.
Only thing else I can think of, do you have libpam-krb5 installed on the
DC & Unix clients ?
Rowland
Trenta sis
Jun 20, 2016, 12:20:03 PM6/20/16
to
Hi,
solved only making this changes :
in /etc/ldap/ldap.conf
add
TLS_CACERT /etc/ldap/ca.pem.crt
sample query with ldaps
# ldapsearch -H ldaps://server -x -LLL -z 0 -D
"CN=user,CN=Users,DC=domain,DC=com" -w "p" -b "CN=Users,DC=domain,DC=com"
Solved!
Thanks
solved only making this changes :
in /etc/ldap/ldap.conf
add
TLS_CACERT /etc/ldap/ca.pem.crt
sample query with ldaps
# ldapsearch -H ldaps://server -x -LLL -z 0 -D
"CN=user,CN=Users,DC=domain,DC=com" -w "p" -b "CN=Users,DC=domain,DC=com"
Solved!
Thanks
Rowland penny
Jun 20, 2016, 12:50:03 PM6/20/16
to
https://lists.samba.org/archive/samba/2016-June/200364.html
Rowland
0 new messages