[jcifs] SMB URL and Active Directory.

Christopher R. Hertel crh at ubiqx.mn.org
Thu Dec 19 04:43:21 EST 2002 

On Wed, Dec 18, 2002 at 08:24:50AM +0100, Frode E. Moe wrote:
> On Tue, Dec 17, 2002 at 05:16:26PM -0600, Christopher R. Hertel wrote:
> > 1) The ldapsearch tool returns an error if I aim it at an AD server:
> >    ldap_sasl_interactive_bind_s: Unknown authentication method
> >    The web browsers I've tried (those few that support LDAP) don't seem to 
> >    be able to connect either.
> > 
> 
> If you use the ldapsearch tool from OpenLDAP (for example from the OpenLDAP 
> "ldap-utils" debian package, which is the one I use), you must be sure to 
> specify the '-x' commandline option to enable "simple authentication",
> otherwise  you'll get that error. You'll probably also want "-w password" 
> or "-W" (for a password prompt).
> 
> I use something like this:
> (for host "ADserver.fully.qualified")
> 
> ldapsearch -h ADserver -x -D cn=Administrator,cn=Users,dc=ADserver,dc=fully,
dc=qualified -W -b dc=ADserver,dc=fully,dc=qualified
> 
> This should prompt you for the administrator password and dump a whole lot of
> AD/LDAP data. If the user name is invalid (for example if you forget the
> "cn=Users" part) you might not get an error message but a very short data
> dump. (as if you'd connect anonymously)
> 
> Hope this helps!

It does.  Thanks!

Is there a way to specify anonymous connections?  What information can I 
get back from an anonymous query?

What I'm trying to figure out (and not being familiar enough with LDAP
doesn't help much) is how much sense it makes to support additional
overloading of the SMB URL.  The URL already supports the SMB Server
Service over two transports (NBT and naked TCP).  It also supports the NBT
Browse Service, and it works with two different kinds of names (NetBIOS
and DNS) plus two different kinds of IP addresses (IPv4 and IPv6).

That's a bigbunch already.  There have been folks who have insisted that
the URL should also support the sending of LDAP queries to find the list
of servers in a W2K Domain.  I have not seen anyone implement that yet,
however.

In a browser, I can imagine the browser code converting an SMB URL into an
LDAP URL and passing it directly to the LDAP support subsystem.  That
would make the most sense, I think, since the code is already there.  I
imagine, also, that there could be a meaningful interpretation of the URL 
"smb://" in an Active Directory context.  I just don't know what that 
would be, though.

So I'm looking for clues to all of this to see if it's really worth-while.
I would prefer that the SMB URL not be overloaded again, just to handle a
protocol that has its own URL.  I'm perfectly happy to be convinced
otherwise, however.

Thanks again!

Chris -)-----

-- 
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the jcifs mailing list