[Samba] OpenSSH auth in SAMBA4 LDAP

Bruno Vane broonu at gmail.com
Mon Aug 26 08:12:55 MDT 2013

Marc, sorry to bother you with this, but I can not access a SSH server
using these settings.
Could you take a look if you have time to find out if my settings are wrong?

When I do a "ssh -l nslcd-connect" (or any other user) to the server, i got
this in /var/log/auth.log:

Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
nslcd-connect [preauth]
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
nslcd-connect from MY_MACHINE port 51004 ssh2
Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]

============> This is my samba4 server LDAP test:
root at samba:~# ldapsearch -U nslcd-connect -h localhost -b
DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedName
SASL/NTLM authentication started
Please enter your password:
SASL username: nslcd-connect
# extended LDIF
# LDAPv3
# base <DC=corporativo,DC=mydomain,DC=net> with scope subtree
# filter: cn=nslcd-connect
# requesting: distinguishedName

# nslcd-connect, Users, corporativo.sodobrasil.net.br
dn: CN=nslcd-connect,CN=Users,DC=corporativo,DC=mydomain,DC=net

# search reference
ref: ldap://

# search reference
ref: ldap://

# search reference
ref: ldap://

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

=============== > This is /etc/nslcd.conf
#Mappings for Active Directory
pagesize 1000
referrals off

# Passwd
filter  passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map     passwd  uid                     sAMAccountName
map     passwd  homeDirectory           unixHomeDirectory
map     passwd  gecos                   displayName
map     passwd  gidNumber               primaryGroupID

# Shadow
filter  shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
map     shadow  uid                     sAMAccountName
map     shadow  shadowLastChange        pwdLastSet

# Groups
filter  group (&(objectClass=group)(objectClass=posixGroup)(gidNumber=*))
#map     group   uniqueMember            member

# Local account, nslcd runs under
uid nslcd
gid nslcd

# LDAP server settings
base dc=corporativo,dc=mydomain,dc=net

# Account in AD that is used from Nslcd to bind to the directory
#binddn cn=teste,cn=Users,dc=corporativo,dc=mydomain,dc=net
binddn CN=nslcd-connect,CN=Users,DC=corporativo,dc=mydomain,dc=net
bindpw nslcd-connect_password

=================> This is /usr/share/libpam-ldap/ldap.conf
base DC=corporativo,dc=mydomain,dc=net
binddn cn=nslcd-connect,cn=Users,DC=corporativo,dc=mydomain,dc=net
bindpw mudar123
bind_policy soft
pam_login_attribute sAMAccountName
ssl no

2013/8/26 Marc Muehlfeld <samba at marc-muehlfeld.de>

> Am 26.08.2013 14:10, schrieb Bruno Vane:
>  I will try this configuration. For this to work I need openLDAP proxy?
> No. You can access AD via LDAP direclty.


Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br

More information about the samba mailing list