ldap simple bind problem after upgrade from 4.14 to 4.15
Andrew Bartlett
abartlet at samba.org
Fri May 20 22:38:11 UTC 2022
On Fri, 2022-05-20 at 11:12 +0200, Dr. Hansjörg Maurer via samba-
technical wrote:
> Hi
>
> we upgraded an 4.14.12 AD-DC to 4.15.7 and after the upgrade all LDAP
> searches with simple bind failed with
>
> A commandline ldap search (working before, User and domaininformation
> replaced) shows
> ldapsearch -x -D "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de" -W -H
> ldap://192.168.0.1:389 -b "CN=Users,DC=xxx,DC=yyy,DC=de" -s sub 'uid=ccc'
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> additional info: 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 531, v1db1
>
>
>
> During the bind Samba Logs (User and domaininformation replaced as above)
>
>
> {"timestamp": "2022-05-20T08:38:09.967130+0200", "type":
> "Authentication", "Authentication": {"version": {"major": 1, "minor":
> 2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status":
> "NT_STATUS_INVALID_WORKSTATION", "localAddress": "ipv4:192.168.0.1:389",
> "remoteAddress": "ipv4:192.168.0.10:56620", "serviceDescription":
> "LDAP", "authDescription": "simple bind", "clientDomain": "DOM",
> "clientAccount": "CN=user,CN=Users,DC=xxx,DC=yyy,DC=de", "workstation":
> "DC01", "becameAccount": null, "becameDomain": null, "becameSid": null,
> "mappedAccount": "user", "mappedDomain": "DOM", "netlogonComputer":
> null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
> "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
> null, "passwordType": "Plaintext", "duration": 2301}}
> [2022/05/20 08:38:09.969011, 3]
> The domain above is a rather old one, migrated from samba NT DC with
> openldap backend many years ago
>
> I tried to setup a fresh 4.14 AD-DC Testsysstem, migrated it to 4.15 and
> the problem does not occur.
>
> What does the
> NT_STATUS_INVALID_WORKSTATION mean and could the problem be DNS related?
Do you have a list of workations set in userWorkstations on this user?
For this version we fixed a bug with a crash in simple binds going to
winbind (RODC) and filled in a "workstation" for LDAP binds, which may
have meant this policy started to be enforced.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list