[Samba] How to use --simple-bind-dn in samba-tool

Andrew Bartlett abartlet at samba.org
Wed Aug 7 17:44:51 MDT 2013

On Wed, 2013-08-07 at 17:16 +0700, Olivier Nicole wrote:
> Hi,
> I understand that using options -H and --simple-bind-dn one could run
> samba-tool remotely.
> But how should I specify the DN to use for simple bind? 
> I tried many syntaxes:
>   cn=Administrator
>   cn=Administrator at domain
>   domain
> all with the Administrator password, but it always fail with:
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <Simple Bind Failed: NT_STATUS_LOGON_FAILURE> <>
> Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend 'ldap': (null)
> Can I use the command ldapsearch (from openLdap distribution) to access
> the LDAP directory maintained by Samba?
> If yes, what is the syntax in term of binding?

In general, you shouldn't need --simple-bind-dn, because Samba supports
much more secure ways to authenticated, such as NTLM and Kerberos.  Just
specify -U administrator

For the record, for other non-AD servers that don't do SASL and so can't
use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
be the admin DN on an OpenLDAP server.  (this applies more to the ldb*
commands that samba-tool, which probably shouldn't show this option
except it comes from common code). 

I hope this helps,

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list