[Samba] Samba 4 with LDAP proxy in DMZ

Andrew Bartlett abartlet at samba.org
Mon Aug 12 00:20:46 MDT 2013

On Thu, 2013-08-08 at 17:14 +0100, Julian Pilfold-Bagwell wrote:
> Hi All,
> I'm setting up a Samba AD domain which works perfectly with the WIn 7 
> server tools and so far everything is going fine.  What has me stumped 
> is setting up an LDAP proxy in our DMZ against which I can authenticate 
> our email and web services.
> I've got port 389 open on my main Samba 4 DC and if I use the domain 
> administrator account to bind the proxy, everything works.  In order to 
> give a degree of separation however, I've created a user called 
> ldapbindacc and have used the server remote admin tools to delegate 
> control of the directory server to that user with read only access to 
> user and group details.  When I try to access the directory using this 
> account, I get the following error message (the password is definitely 
> correct):
> # ldapsearch -LLL -H ldap:// -b 
> 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D 
> 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W 
> '(sAMAccountName=Test.User)'
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>      additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
> As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been 
> patching things together from various howto's.  Has anyone succeeded in 
> this who can give me some tips.

Try just setting the DN as ldapbindacc at bordengrammer.kent.sch.uk (AD
allows these kind of DNs for binds).

Otherwise, just turn up the logging on the Samba side and see what it

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list