[Samba] ldapsearch with samba4 (now a question about SASL and ldaps

Andrew Dumaresq dumaresq at gmail.com
Sun Apr 24 16:25:00 MDT 2011 


On 4/23/2011 2:34 PM, Andrew Dumaresq wrote:
> Hi,
>
> I've got ldapsearch mostly working:
>
> root at morannon:/usr/local/samba/private/tls# ldapsearch 
> '(sAMAccountName=dumaresq)'
> SASL/GSSAPI authentication started
> SASL username: administrator at XXX
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope subtree
> # filter: (sAMAccountName=dumaresq)
> # requesting: ALL
> #
>
> results in here...
>
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> I cannot get ldapsearch -Z  or ldaps working:
>
> ldapsearch '(sAMAccountName=dumaresq)' -Z
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>         additional info: SASL:[GSSAPI]: Sign or Seal are not allowed 
> if TLS is used
>
>
> Here is what I get in samba.log when I do did that command:
>
> [2011/04/23 14:29:56,  3] 
> ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2011/04/23 14:29:56,  3] 
> ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2011/04/23 14:29:56,  3] 
> ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
>   ldb_wrap open of secrets.ldb
> [2011/04/23 14:29:56,  3] 
> ../source4/smbd/service_stream.c:62(stream_terminate_connection)
>   Terminating connection - 'ldapsrv_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> [2011/04/23 14:29:56,  3] 
> ../source4/smbd/process_single.c:104(single_terminate)
>   single_terminate: reason[ldapsrv_call_loop: 
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
>
> I'm not sure where to go from here.  I've tried several different 
> options in /etc/ldap/ldap.conf and I always get that error, unless I 
> comment out #TLS_REQCERT allow
> then I get:
>
> ldapsearch '(sAMAccountName=dumaresq)' -Z
> ldap_start_tls: Connect error (-11)
>         additional info: (unknown error code)
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1
>         additional info: (unknown error code)
>
>

Update...

I did get ldaps and -Z working, but I can't do it with SASL, I can't 
find docs that say, but is it possible that SASL (GSSAPI) and ldaps are 
not compatible?


ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
         additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if 
TLS is used

dumaresq at morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D 
'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword 
'(sAMAccountName=dumaresq)'
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (sAMAccountName=dumaresq)
# requesting: ALL
#

(response in here)

# numResponses: 2
# numEntries: 1

So the question is are SASL and ldaps not compatible and if that is the 
case which is better?  I like GSSAPI because I don't need to store 
passwords on the system, but I'm not clear on how encrypted the data 
being transmitted is.  I did a packet capture and I do see some data 
that doesn't look like clear text, but that's all I know for sure :)

Comments, suggestions?

More information about the samba mailing list