[Samba] login via Samba 4 LDAP

Gémes Géza geza at kzsdabas.hu
Wed Dec 28 12:44:08 MST 2011 

2011-12-28 20:27 keltezéssel, steve írta:
> Hi
>
> I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search
> the database and view it with phpldapadmin. I can't login from a linux
> console:
>
> ldapsearch -LLL "(cn=steve4)"
>
> SASL/GSSAPI authentication started
> SASL username: steve4 at HH3.SITE
> SASL SSF: 56
> SASL data security layer installed.
> dn: CN=steve4,CN=Users,DC=hh3,DC=site
> cn: steve4
> instanceType: 4
> whenCreated: 20111228090516.0Z
> uSNCreated: 3796
> name: steve4
> objectGUID:: SmOVmHoGLEKtIAG387qdKg==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAb3HIjuGOMdR6frbzWQQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: steve4
> sAMAccountType: 805306368
> userPrincipalName: steve4 at hh3.site
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
> pwdLastSet: 129695367160000000
> userAccountControl: 512
> gidNumber: 100
> unixHomeDirectory: /home/CACTUS/steve4
> loginShell: /bin/bash
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: organizationalPerson
> objectClass: user
> uidNumber: 3000019
> uid: steve4
> whenChanged: 20111228160534.0Z
> uSNChanged: 3815
> distinguishedName: CN=steve4,CN=Users,DC=hh3,DC=site
>
> # refldap://hh3.site/CN=Configuration,DC=hh3,DC=site
>
> # refldap://hh3.site/DC=DomainDnsZones,DC=hh3,DC=site
>
> # refldap://hh3.site/DC=ForestDnsZones,DC=hh3,DC=site
>
>
> But when I try to login from an openSUSE box:
>
>  su steve4
> su: user steve4 does not exist
>
> and the logs give:
> Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls
> failed:stat=-1
> Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls
> failed:stat=-1
> Dec 28 20:20:04 hh3 worker_nscd: nss_ldap: could not search LDAP
> server - Server is unavailable
>
> I have tried with and without tls using the ca.pem and cert.pem
> provisioned in /usr/local/samba/private/tls (it seems that the
> certificates CN does not match the FQDN of the server).
>
> Samba gives me:
> ldb_wrap open of secrets.ldb
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>
> etc/nsswitch.conf
>
> passwd:    compat
> group:    files ldap
> hosts:    files mdns4_minimal [NOTFOUND=return] dns
> passwd_compat:    ldap
>
> Anyone been this way before?
> Thanks Steve.
You should create a user in AD for nss-ldap and extract a keytab for it
(samba-tool domain exportkeytab --principal=....) and configure nss-ldap
to use that keytab for authenticating. Most probably you aren't allowed
to bind anonymously to your AD server (you can try with ldapsearch -x)

Regards

Geza

More information about the samba mailing list