samba with openldap provisioning

Andrew Bartlett abartlet at samba.org
Wed Aug 28 00:12:27 MDT 2013


On Sun, 2013-08-25 at 20:59 +0300, Nadezhda Ivanova wrote:
> Hi Andrew,
> I need some more advice - it appears that provisioning fails because we
> cannot do a sasl bind, here i what appears in the log:
> .
> .
> .
> 
> 
> Successfully loaded vfs module [acl_xattr] with the new modules system
> Initialising custom vfs hooks from [dfs_samba4]
> Successfully loaded vfs module [dfs_samba4] with the new modules system
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
> 'force unknown acl user = true' for service Unknown Service (snum == -1)
> config file testing succeeded
> lpcfg_servicenumber: couldn't find ldb
> Failed to inquire of target's available sasl mechs in rootdse search:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
> Failed to bind - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
> Failed to connect to
> 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> 'ldapi': (null)
> lpcfg_servicenumber: couldn't find ldb
> Failed to inquire of target's available sasl mechs in rootdse search:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
> Failed to bind - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
> Failed to connect to
> 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> 'ldapi': (null)
> lpcfg_servicenumber: couldn't find ldb
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'sasl-DIGEST-MD5' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Starting GENSEC mechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x00028205
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN

> Server did not provide 'target information', required for NTLMv2

> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to
> 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> 'ldapi': (null)

So, I think we have found the root cause of your issues here.  It seems
at some point (by your later digging, between alpha13 and alpha14) our
NTLMv2 code got much stricter, and so won't talk to the Cyrus SASL NTLM
mech being used by OpenLDAP any more. 

There are other approaches that might work here.  We do build with
cyrus-sasl, so as to have digest-md5 support.  If (and that's a big if)
that was to work, we wouldn't need to use NTLM, which sucks generally...

So, where to go from here:

  You could turn off NTLMv2 - 'client ntlmv2 auth = no' should do it.

This is almost certainly the change that happened between the two
versions that last worked and didn't.  It's also clear that I need to
give you a much more hands-on hand to get started.  Can you prepare a
scratch git branch with whatever changes you have so far, and
instructions so I can reproduce your environment?  Perhaps I can get you
a bit more of a jump-start?

I'm sorry this is so infuriating.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz




More information about the samba-technical mailing list