Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Cannot bind to AD using nslcd
665 views
Skip to first unread message
Rob Mason
Nov 19, 2014, 11:00:04 AM11/19/14
to
Hi Again - following on from my last request for help, I'm now attempting to
setup LDAP auth against my working samba4 AD.
Simplistically, I'm trying initially to SSH into my AD server (working)
using nslcd.
I've tried method #1 from
https://wiki.samba.org/index.php/Local_user_management_and_authentication/ns
lcd
My simple config is:
uid nslcd
gid nslcd
uri ldap://127.0.0.1:389
base cn=Users,dc=acasta,dc=intra
binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
bindpw xxxxx
filter passwd (objectClass=user)
filter group (objectClass=group)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
#map group uniqueMember member
Nsswitch.conf has been modified to include ldap.
Pam.conf has the appropriate values.
My syslog says:
Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> failed to bind
to LDAP server ldap://kepler.acasta.intra/: Invalid credentials: Simple Bind
Failed: NT_STATUS_LOGON_FAILURE
Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> no available
LDAP server found: Invalid credentials
# ldapsearch -x -D 'ACASTA\nslcd-connect' -w 'xxxxx' -E pr=1000/noprompt -b
'cn=Users,dc=acasta,dc=intra' SAMAccountName uid uidNumber
.authenticates and lists all my user objects
I've convinced myself that the problem somehow lies within the 'binddn'
setting. After several hours I'm no further forward.
Can anyone throw any light here???
TIA
setup LDAP auth against my working samba4 AD.
Simplistically, I'm trying initially to SSH into my AD server (working)
using nslcd.
I've tried method #1 from
https://wiki.samba.org/index.php/Local_user_management_and_authentication/ns
lcd
My simple config is:
uid nslcd
gid nslcd
uri ldap://127.0.0.1:389
base cn=Users,dc=acasta,dc=intra
binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
bindpw xxxxx
filter passwd (objectClass=user)
filter group (objectClass=group)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
#map group uniqueMember member
Nsswitch.conf has been modified to include ldap.
Pam.conf has the appropriate values.
My syslog says:
Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> failed to bind
to LDAP server ldap://kepler.acasta.intra/: Invalid credentials: Simple Bind
Failed: NT_STATUS_LOGON_FAILURE
Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> no available
LDAP server found: Invalid credentials
# ldapsearch -x -D 'ACASTA\nslcd-connect' -w 'xxxxx' -E pr=1000/noprompt -b
'cn=Users,dc=acasta,dc=intra' SAMAccountName uid uidNumber
.authenticates and lists all my user objects
I've convinced myself that the problem somehow lies within the 'binddn'
setting. After several hours I'm no further forward.
Can anyone throw any light here???
TIA
Rowland Penny
Nov 19, 2014, 11:20:03 AM11/19/14
to
On 19/11/14 15:54, Rob Mason wrote:
> Hi Again - following on from my last request for help, I'm now attempting to
> setup LDAP auth against my working samba4 AD.
>
> Simplistically, I'm trying initially to SSH into my AD server (working)
> using nslcd.
> I've tried method #1 from
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/ns
> lcd
>
> My simple config is:
>
> uid nslcd
> gid nslcd
> uri ldap://127.0.0.1:389
> base cn=Users,dc=acasta,dc=intra
> binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
^
> Hi Again - following on from my last request for help, I'm now attempting to
> setup LDAP auth against my working samba4 AD.
>
> Simplistically, I'm trying initially to SSH into my AD server (working)
> using nslcd.
> I've tried method #1 from
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/ns
> lcd
>
> My simple config is:
>
> uid nslcd
> gid nslcd
> uri ldap://127.0.0.1:389
> base cn=Users,dc=acasta,dc=intra
> binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
You have a space here
Rowland
> bindpw xxxxx
>
> filter passwd (objectClass=user)
> filter group (objectClass=group)
> map passwd uid sAMAccountName
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> #map group uniqueMember member
>
> Nsswitch.conf has been modified to include ldap.
> Pam.conf has the appropriate values.
>
> My syslog says:
> Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> failed to bind
> to LDAP server ldap://kepler.acasta.intra/: Invalid credentials: Simple Bind
> Failed: NT_STATUS_LOGON_FAILURE
> Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> no available
> LDAP server found: Invalid credentials
>
> # ldapsearch -x -D 'ACASTA\nslcd-connect' -w 'xxxxx' -E pr=1000/noprompt -b
> 'cn=Users,dc=acasta,dc=intra' SAMAccountName uid uidNumber
>
> .authenticates and lists all my user objects
>
> I've convinced myself that the problem somehow lies within the 'binddn'
> setting. After several hours I'm no further forward.
>
> Can anyone throw any light here???
>
> TIA
>
>
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rob Mason
Nov 19, 2014, 11:20:04 AM11/19/14
to
Thanks Rowland, but that space is pasted into my email by accident - it
isn't in the original nslcd.conf file.
Checked again and re-pasted:
binddn cn=nslcd-connect,cn=Users,dc=acasta,dc=intra
Is this definitely the correct format for 'binddn' - the man page doesn't
specify format???
isn't in the original nslcd.conf file.
Checked again and re-pasted:
binddn cn=nslcd-connect,cn=Users,dc=acasta,dc=intra
Is this definitely the correct format for 'binddn' - the man page doesn't
specify format???
Rowland Penny
Nov 19, 2014, 11:20:05 AM11/19/14
to
binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
^
You have a space here
Rowland
Rowland Penny
Nov 19, 2014, 11:30:03 AM11/19/14
to
On 19/11/14 16:16, Rob Mason wrote:
> Thanks Rowland, but that space is pasted into my email by accident - it
> isn't in the original nslcd.conf file.
>
> Checked again and re-pasted:
>
> binddn cn=nslcd-connect,cn=Users,dc=acasta,dc=intra
>
> Is this definitely the correct format for 'binddn' - the man page doesn't
> specify format???
It has been some time since I used nslcd, but I believe it is correct.
> Thanks Rowland, but that space is pasted into my email by accident - it
> isn't in the original nslcd.conf file.
>
> Checked again and re-pasted:
>
> binddn cn=nslcd-connect,cn=Users,dc=acasta,dc=intra
>
> Is this definitely the correct format for 'binddn' - the man page doesn't
> specify format???
Have a look here, this may help:
http://wiki.gentoo.org/wiki/Centralized_authentication_with_Samba_AD_/HOWTO
If it does and you get it working, can you post what you changed and if
required, I will update the howto.
Rowland
John Yocum
Nov 19, 2014, 11:30:04 AM11/19/14
to
Have you done an ldapsearch to lookup that user's full DN? Though that
would appear to be correct, assuming your AD domain is acasta.intra.
--John
--
John Yocum, Systems Administrator, DEOHS
would appear to be correct, assuming your AD domain is acasta.intra.
--John
John Yocum, Systems Administrator, DEOHS
Rowland Penny
Nov 19, 2014, 11:40:04 AM11/19/14
to
On 19/11/14 16:30, Rob Mason wrote:
> Thanks again Rowland - that particular URL is one I've followed earlier
> today.
>
> I've honestly been at this about 5 hours! I've even taken my Wheezy box
> back to install and re-provisioned the AD just to be sure!
>
> My suspicion still remains with the format of 'binddn'.
OK, can you confirm that you are using samba 4.1.11 from backports, you
have created the user 'nslcd-connect' in AD and you are trying to ssh
into the AD DC .
Rowland
> Thanks again Rowland - that particular URL is one I've followed earlier
> today.
>
> I've honestly been at this about 5 hours! I've even taken my Wheezy box
> back to install and re-provisioned the AD just to be sure!
>
> My suspicion still remains with the format of 'binddn'.
have created the user 'nslcd-connect' in AD and you are trying to ssh
into the AD DC .
Rowland
Rob Mason
Nov 19, 2014, 11:40:04 AM11/19/14
to
Seems OK ->
dn: CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: nslcd-connect
givenName: nslcd-connect
instanceType: 4
whenCreated: 20141119142618.0Z
displayName: nslcd-connect
uSNCreated: 3775
name: nslcd-connect
objectGUID:: STbTmoMqyE+lIjhxrk8OHQ==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAg/RAl2y4e0EHLvzkUAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: nslcd-connect
sAMAccountType: 805306368
userPrincipalName: nslcd-...@acasta.intra
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=acasta,DC=intra
pwdLastSet: 130608807790000000
whenChanged: 20141119142620.0Z
userAccountControl: 66048
uSNChanged: 3778
distinguishedName: CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
dn: CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: nslcd-connect
givenName: nslcd-connect
instanceType: 4
whenCreated: 20141119142618.0Z
displayName: nslcd-connect
uSNCreated: 3775
name: nslcd-connect
objectGUID:: STbTmoMqyE+lIjhxrk8OHQ==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAg/RAl2y4e0EHLvzkUAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: nslcd-connect
sAMAccountType: 805306368
userPrincipalName: nslcd-...@acasta.intra
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=acasta,DC=intra
pwdLastSet: 130608807790000000
whenChanged: 20141119142620.0Z
userAccountControl: 66048
uSNChanged: 3778
distinguishedName: CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
Rob Mason
Nov 19, 2014, 11:40:04 AM11/19/14
to
Thanks again Rowland - that particular URL is one I've followed earlier
today.
I've honestly been at this about 5 hours! I've even taken my Wheezy box
back to install and re-provisioned the AD just to be sure!
My suspicion still remains with the format of 'binddn'.
today.
I've honestly been at this about 5 hours! I've even taken my Wheezy box
back to install and re-provisioned the AD just to be sure!
My suspicion still remains with the format of 'binddn'.
Rob Mason
Nov 19, 2014, 11:50:04 AM11/19/14
to
<--snip-->
OK, can you confirm that you are using samba 4.1.11 from backports, you have
created the user 'nslcd-connect' in AD and you are trying to ssh into the AD
DC .
Rowland
Thanks again!
Yes - in this order:-
# apt-get install -t wheezy-backports samba smbclient krb5-config krb5-user
# samba-tool domain provision --use-rfc2307 --interactive
# ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Tested OK using:
# host -t SRV _ldap._tcp.acasta.intra.
# host -t SRV _kerberos._udp. acasta.intra.
# host -t A kepler. acasta.intra.
# kinit admini...@ACASTA.INTRA
# klist
I am trying to ssh into my AD-DC box using a domain account (as a starter!)
Rowland Penny
Nov 19, 2014, 12:00:03 PM11/19/14
to
exactly the same configuration as you, or do want to do something else
and if so what ?
Rob Mason
Nov 19, 2014, 12:00:03 PM11/19/14
to
aiming to authenticate all network services (smtp, imap, file and print)
to the AD in order to take advantage of a single domain account per
user. I achieved all of this under samba3 using 'unix password sync'.
Rowland Penny
Nov 19, 2014, 12:10:04 PM11/19/14
to
if so, then I would suggest that you set up a member server and use this
instead : https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Min Wai Chan
Nov 19, 2014, 12:10:05 PM11/19/14
to
Hi Rob,
What is not working now...
once using AD DC you cannot think of unix password sync anymore..
When using unix password sync, there are a local account and password.
But in AD DC + Nslcd...
We need the help from Pam or Native LDAP/AD
So the program you use must use pam authentication or LDAP/AD
What is not working now...
once using AD DC you cannot think of unix password sync anymore..
When using unix password sync, there are a local account and password.
But in AD DC + Nslcd...
We need the help from Pam or Native LDAP/AD
So the program you use must use pam authentication or LDAP/AD
Rob Mason
Nov 19, 2014, 12:10:05 PM11/19/14
to
in "ldap_simple_bind_s" below?
nslcd: [7b23c6] DEBUG: connection from pid=17975 uid=0 gid=0
nslcd: [7b23c6] <passwd(all)> DEBUG:
myldap_search(base="CN=Users,DC=acasta,DC=intra",
filter="(objectClass=posixAccount)")
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_initialize(ldap://kepler.acasta.intra/)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_simple_bind_s("CN=lcd-connect,CN=Users,DC=acasta,DC=intra","***")
(uri="ldap://kepler.acasta.intra/")
nslcd: [7b23c6] <passwd(all)> failed to bind to LDAP server
ldap://kepler.acasta.intra/: Invalid credentials: Simple Bind Failed:
NT_STATUS_LOGON_FAILURE
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_unbind()
NT_STATUS_LOGON_FAILURE
nslcd: [7b23c6] <passwd(all)> no available LDAP server found: Invalid
credentials
Rob Mason
Nov 19, 2014, 12:20:03 PM11/19/14
to
Thanks Min.
I have nsswitch configured with:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
I have pam.conf configured with 'pam_ldap.so'
Is this what you mean???
I have nsswitch configured with:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
I have pam.conf configured with 'pam_ldap.so'
Is this what you mean???
Rob Mason
Nov 19, 2014, 12:20:04 PM11/19/14
to
finally a smtp/imap server. I have made an assumption that the other
two servers will require 'nslcd' to authenticate against the AD-DC
domain accounts. I have no requirement for SMB service on that third
server.
My objective is for Do...@ACASTA.INTRA to log onto a domain account on a
Win7 workstation and access print, file and email services from the
network using that single domain account. I have little experience with
winbind - is that a better option that attempting ldap integration???
Rowland Penny
Nov 19, 2014, 12:20:04 PM11/19/14
to
http://www.iredmail.org/docs/active.directory.html
I know that you are probably not using iRedmail, but this should give
you some idea of the direction to go.
Rob Mason
Nov 19, 2014, 12:30:03 PM11/19/14
to
Rob Mason
07770 578764
would desire. I guess I'm being too ambitious! I thought I would be
able to redirect all authentication requests via nslcd. I'm going to
have to sit down and have a rethink!
Rob Mason
Nov 19, 2014, 12:50:02 PM11/19/14
to
A little further forward! I've re-provisioned the domain and re-created
the new 'nslcd-connect' user just to be sure.
'binddn' is now working - but is complaining about 'uidNumber'. I think
this is now just a mapping issue. Anyone??
nslcd: [495cff] <passwd(all)> DEBUG:
myldap_search(base="CN=Users,DC=acasta,DC=intra",
filter="(objectClass=user)")
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=Administrator,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)>
CN=Administrator,CN=Users,DC=acasta,DC=intra: uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)>
CN=nslcd-connect,CN=Users,DC=acasta,DC=intra: uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=krbtgt,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)> CN=krbtgt,CN=Users,DC=acasta,DC=intra:
uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=Guest,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)> CN=Guest,CN=Users,DC=acasta,DC=intra:
uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result(): end of results (4 total)
The full nslcd.conf is here:
uid nslcd
gid nslcd
uri ldap://kepler.acasta.intra/
base CN=Users,DC=acasta,DC=intra
binddn CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
bindpw xxxxxxxx
pagesize 1000
referrals off
#map group uniqueMember member
the new 'nslcd-connect' user just to be sure.
'binddn' is now working - but is complaining about 'uidNumber'. I think
this is now just a mapping issue. Anyone??
nslcd: [495cff] <passwd(all)> DEBUG:
myldap_search(base="CN=Users,DC=acasta,DC=intra",
filter="(objectClass=user)")
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=Administrator,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)>
CN=Administrator,CN=Users,DC=acasta,DC=intra: uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)>
CN=nslcd-connect,CN=Users,DC=acasta,DC=intra: uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=krbtgt,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)> CN=krbtgt,CN=Users,DC=acasta,DC=intra:
uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
CN=Guest,CN=Users,DC=acasta,DC=intra
nslcd: [495cff] <passwd(all)> CN=Guest,CN=Users,DC=acasta,DC=intra:
uidNumber: missing
nslcd: [495cff] <passwd(all)> DEBUG: ldap_result(): end of results (4 total)
The full nslcd.conf is here:
uid nslcd
gid nslcd
uri ldap://kepler.acasta.intra/
base CN=Users,DC=acasta,DC=intra
binddn CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
bindpw xxxxxxxx
pagesize 1000
referrals off
filter passwd (objectClass=user)
filter group (objectClass=group)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
map passwd uidNumber uidNumber
filter group (objectClass=group)
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
#map group uniqueMember member
Min Wai Chan
Nov 19, 2014, 12:50:03 PM11/19/14
to
you should be using this.
if you are using ldap and not Kerbos
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
if you are using ldap and not Kerbos
pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
Rowland Penny
Nov 19, 2014, 1:10:02 PM11/19/14
to
Rob Mason
Nov 19, 2014, 1:20:03 PM11/19/14
to
idmap_ldb:use rfc2307 = yes
When I create a domain account then they should just automatically get
those?
John Yocum
Nov 19, 2014, 1:30:02 PM11/19/14
to
and group. If you're using RSAT to manage users, you'll need Server for
NIS Tools installed.
--
John Yocum, Systems Administrator, DEOHS
Rob Mason
Nov 19, 2014, 1:30:03 PM11/19/14
to
Thanks - my nslcd appears to be _almost_ working!! Debug shows:
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=18724 uid=0 gid=0
nslcd: [8b4567] <passwd(all)> DEBUG:
myldap_search(base="DC=acasta,DC=intra",
filter="(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))")
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_initialize(ldap://kepler.acasta.intra/)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_simple_bind_s("CN=nslcd-connect,CN=Users,DC=acasta,DC=intra","***")
(uri="ldap://kepler.acasta.intra/")
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_result(): end of results (0 total)
When I use 'getent passwd', I do not see any domain accounts. I
expected to see 'Administrator' and 'nlscd-connect' domain accounts
listed. i only get Unix accounts.
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=18724 uid=0 gid=0
nslcd: [8b4567] <passwd(all)> DEBUG:
myldap_search(base="DC=acasta,DC=intra",
filter="(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))")
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_initialize(ldap://kepler.acasta.intra/)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_simple_bind_s("CN=nslcd-connect,CN=Users,DC=acasta,DC=intra","***")
(uri="ldap://kepler.acasta.intra/")
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_result(): end of results (0 total)
When I use 'getent passwd', I do not see any domain accounts. I
expected to see 'Administrator' and 'nlscd-connect' domain accounts
listed. i only get Unix accounts.
Rowland Penny
Nov 19, 2014, 1:40:02 PM11/19/14
to
I don't think that you are going to get much further until you add them.
I would suggest that you peruse the samba wiki and Steves blog:
http://linuxcostablanca.blogspot.co.uk/p/samba-4.html
Rob Mason
Nov 19, 2014, 1:40:03 PM11/19/14
to
Rob Mason
Nov 19, 2014, 1:40:03 PM11/19/14
to
0 new messages