DC demote

Fri Jan 7 02:48:02 MST 2011

All right,
I have gone further. Now I am able to successfuly bind. No more actions had
to be performed.
What has changed is that I moved into a school that I have already set up
samba4 domain even with the network stuff (DNS, ...) setup. I try what I
have tried originally and voila ... successfully bound ...
This makes me think that there is necessary to use DNS names. Maybe this is
obvious but I have not known it.
Thanks for help to all of you.
vasek

2011/1/5 Michael Wood <esiotrot at gmail.com>

> Sorry, my previous message was meant to go to the list, so I'm sending
> this one there.
>
> On 5 January 2011 20:36, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> > Hi Michael,
>
> > thanks for pointing me to right direction. It was really lack of the
> > libraries installed. Now it gives me invalid credentials error:
>
> > ldapsearch -Y gssapi -h 10.0.1.4 -b CN=Users,DC=kkkk,DC=cz sAMAccountName
> > -vvv
> > ldap_initialize( ldap://10.0.1.4 )
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> > which is quite strange since I am already authenticated with kinit ... ?
> > (klist -e showed me I have a ticket from kerberos).
>
> Yes, that is strange.  I must admit to not having tried it with a very
> recent version of Samba, but I don't see why it should not work.
>
> > Or is there something else to perform?
>
> No, I don't think anything else should be needed.  As long as the
> Kerberos server you got the ticket from is the same installation of
> Samba 4 as the LDAP server you are talking to (or another DC in the
> same AD/domain/whatever) then it should work.
>
> Does it make a difference if you try kinit Administrator instead of a
> normal user?  (Although it works for me as a normal user too.)
>
> > Sorry for maybe silly bothering.
>
> No problem :)
>
> > 2011/1/5 Michael Wood <esiotrot at gmail.com>
> >>
> >> On 4 January 2011 21:01, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> >> > Sorry I forgot:
> >>
> >> > I use an older version (alpha12) that I was able to list content with
> >> > anonymous bind. Now when I tested with current version this seems to
> be
> >> > impossible. So this is ok now.
> >>
> >> > Concerning the "I use port 389": I meant that I normally start the
> >> > samba4
> >> > binary which also starts the build-in ldap server (on default 389
> >> > server).
> >> > Nothing special except the fact I am not able to bind it. So I still
> >> > search
> >> > working solution how to do it.
> >>
> >> I think it would be best to verify that it works with ldapsearch first.
> >>
> >> Try something like this:
> >>
> >> $ kinit vena
> >> $ ldapsearch -Y gssapi -h 10.0.1.4 -b CN=Users,DC=mydomain,DC=cz
> >> sAMAccountName
> >>
> >> If you also get an error about the SASL mechanism not being found,
> >> make sure you have the necessary package.  On Ubuntu/Debian it is
> >> called libsasl2-modules-gssapi-heimdal (or
> >> libsasl2-modules-gssapi-mit).
>
> --
> Michael Wood <esiotrot at gmail.com>
>