How to test samba LDAP parameters with openldap tools, eg ldapsearch?
Rowland Penny
rpenny at samba.org
Wed Apr 12 10:08:22 UTC 2023
On 12/04/2023 10:58, Jan Andersen via samba-technical wrote:
> I have an openLDAP service running on a debian 11 system, and Samba 4.13
> on another Debian 11. In smb.conf I have set up the following:
>
> # LDAP Settings
> passdb backend = ldapsam:ldap://vogon.zombie.io
> ldap suffix = dc=zombie,dc=io
> ldap user suffix = ou=people
> ldap group suffix = ou=groups
> ldap machine suffix = ou=computers
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=admin,dc=zombie,dc=io
> ldap ssl = start tls
> ldap passwd sync = yes
>
> I have some trouble understanding why this doesn't appear to work, and I
> would like to try to understand how these parameters map to the
> parameters of, say, ldapsearch, so I can see if the problem lies there.
>
> I have run smbd with max debugging, and as far as I can see, it
> successfully makes contact with the LDAP server, but then doesn't find
> the user I'm trying to log in with. However, when I do a search with
> ldapsearch, like this:
>
> ldapsearch -v -b "dc=zombie,dc=io" -H ldaps://vogon.zombie.io -D
> "cn=admin,dc=zombie,dc=io" -W
>
> - I find the user in the output. So, my question is, which ldapsearch
> command would be equivalent to what smbd is doing?
>
It will probably help if you can supply logs showing Samba failing.
Also showing us your complete smb.conf will help.
Do you have 'server min protocol = NT1' set in your smb.conf ?
Are you also aware that Samba is actively working on removing SMBv1
(which a PDC requires) and that several of the attributes required are
now turned off by default ?
see here:
https://wiki.samba.org/index.php/Samba_4.13_Features_added/changed#smb.conf_changes
Rowland
More information about the samba-technical
mailing list