[Samba] Cannot bind to AD using nslcd

John Yocum jtyocum at uw.edu
Wed Nov 19 09:20:42 MST 2014 

Have you done an ldapsearch to lookup that user's full DN? Though that
would appear to be correct, assuming your AD domain is acasta.intra.

--John

On 11/19/2014 08:16 AM, Rob Mason wrote:
> Thanks Rowland, but that space is pasted into my email by accident - it
> isn't in the original nslcd.conf file.
> 
> Checked again and re-pasted:
> 
> binddn cn=nslcd-connect,cn=Users,dc=acasta,dc=intra
> 
> Is this definitely the correct format for 'binddn' - the man page doesn't
> specify format???
> 
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: 19 November 2014 16:10
> To: samba at lists.samba.org
> Subject: Re: [Samba] Cannot bind to AD using nslcd
> 
> On 19/11/14 15:54, Rob Mason wrote:
>> Hi Again - following on from my last request for help, I'm now 
>> attempting to setup LDAP auth against my working samba4 AD.
>>
>> Simplistically, I'm trying initially to SSH into my AD server 
>> (working) using nslcd.
>> I've tried method #1 from
>> https://wiki.samba.org/index.php/Local_user_management_and_authenticat
>> ion/ns
>> lcd
>>
>> My simple config is:
>>
>>    uid nslcd
>>    gid nslcd
>>    uri ldap://127.0.0.1:389
>>    base cn=Users,dc=acasta,dc=intra
>>    binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
>                                                      ^
>                                     You have a space here
> 
> Rowland
> 
>>    bindpw xxxxx
>>
>>    filter  passwd  (objectClass=user)
>>    filter  group   (objectClass=group)
>>    map     passwd  uid                sAMAccountName
>>    map     passwd  homeDirectory      unixHomeDirectory
>>    map     passwd  gecos              displayName
>>    map     passwd  gidNumber          primaryGroupID
>>    #map     group   uniqueMember       member
>>
>> Nsswitch.conf has been modified to include ldap.
>> Pam.conf has the appropriate values.
>>
>> My syslog says:
>>    Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> failed 
>> to bind to LDAP server ldap://kepler.acasta.intra/: Invalid 
>> credentials: Simple Bind
>> Failed: NT_STATUS_LOGON_FAILURE
>>    Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> no 
>> available LDAP server found: Invalid credentials
>>
>> # ldapsearch -x -D 'ACASTA\nslcd-connect' -w 'xxxxx' -E 
>> pr=1000/noprompt -b 'cn=Users,dc=acasta,dc=intra' SAMAccountName uid 
>> uidNumber
>>   
>> .authenticates and lists all my user objects
>>
>> I've convinced myself that the problem somehow lies within the 'binddn'
>> setting. After several hours I'm no further forward.
>>
>> Can anyone throw any light here???
>>
>> TIA
>>
>>
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 


-- 
John Yocum, Systems Administrator, DEOHS

More information about the samba mailing list