[Samba] Cannot bind to AD using nslcd
Rob Mason
rob.mason at acasta.co.uk
Wed Nov 19 09:34:55 MST 2014
Seems OK ->
dn: CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: nslcd-connect
givenName: nslcd-connect
instanceType: 4
whenCreated: 20141119142618.0Z
displayName: nslcd-connect
uSNCreated: 3775
name: nslcd-connect
objectGUID:: STbTmoMqyE+lIjhxrk8OHQ==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAg/RAl2y4e0EHLvzkUAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: nslcd-connect
sAMAccountType: 805306368
userPrincipalName: nslcd-connect at acasta.intra
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=acasta,DC=intra
pwdLastSet: 130608807790000000
whenChanged: 20141119142620.0Z
userAccountControl: 66048
uSNChanged: 3778
distinguishedName: CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of John Yocum
Sent: 19 November 2014 16:21
To: samba at lists.samba.org
Subject: Re: [Samba] Cannot bind to AD using nslcd
Have you done an ldapsearch to lookup that user's full DN? Though that would
appear to be correct, assuming your AD domain is acasta.intra.
--John
On 11/19/2014 08:16 AM, Rob Mason wrote:
> Thanks Rowland, but that space is pasted into my email by accident -
> it isn't in the original nslcd.conf file.
>
> Checked again and re-pasted:
>
> binddn cn=nslcd-connect,cn=Users,dc=acasta,dc=intra
>
> Is this definitely the correct format for 'binddn' - the man page
> doesn't specify format???
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: 19 November 2014 16:10
> To: samba at lists.samba.org
> Subject: Re: [Samba] Cannot bind to AD using nslcd
>
> On 19/11/14 15:54, Rob Mason wrote:
>> Hi Again - following on from my last request for help, I'm now
>> attempting to setup LDAP auth against my working samba4 AD.
>>
>> Simplistically, I'm trying initially to SSH into my AD server
>> (working) using nslcd.
>> I've tried method #1 from
>> https://wiki.samba.org/index.php/Local_user_management_and_authentica
>> t
>> ion/ns
>> lcd
>>
>> My simple config is:
>>
>> uid nslcd
>> gid nslcd
>> uri ldap://127.0.0.1:389
>> base cn=Users,dc=acasta,dc=intra
>> binddn cn=nslcd-connect,cn=Users, dc=acasta,dc=intra
> ^
> You have a space here
>
> Rowland
>
>> bindpw xxxxx
>>
>> filter passwd (objectClass=user)
>> filter group (objectClass=group)
>> map passwd uid sAMAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map passwd gecos displayName
>> map passwd gidNumber primaryGroupID
>> #map group uniqueMember member
>>
>> Nsswitch.conf has been modified to include ldap.
>> Pam.conf has the appropriate values.
>>
>> My syslog says:
>> Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> failed
>> to bind to LDAP server ldap://kepler.acasta.intra/: Invalid
>> credentials: Simple Bind
>> Failed: NT_STATUS_LOGON_FAILURE
>> Nov 19 14:32:35 kepler nslcd[13159]: [8b4567] <passwd(all)> no
>> available LDAP server found: Invalid credentials
>>
>> # ldapsearch -x -D 'ACASTA\nslcd-connect' -w 'xxxxx' -E
>> pr=1000/noprompt -b 'cn=Users,dc=acasta,dc=intra' SAMAccountName uid
>> uidNumber
>>
>> .authenticates and lists all my user objects
>>
>> I've convinced myself that the problem somehow lies within the 'binddn'
>> setting. After several hours I'm no further forward.
>>
>> Can anyone throw any light here???
>>
>> TIA
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
--
John Yocum, Systems Administrator, DEOHS
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list