[Samba] Cannot bind to AD using nslcd

Rob Mason rob.mason at acasta.co.uk
Wed Nov 19 10:02:19 MST 2014

On 19/11/2014 16:58, Rob Mason wrote:
> On 19/11/2014 16:51, Rowland Penny wrote:
>> On 19/11/14 16:42, Rob Mason wrote:
>>> <--snip-->
>>> OK, can you confirm that you are using samba 4.1.11 from backports,
>>> you have
>>> created the user 'nslcd-connect' in AD and you are trying to ssh into
>>> the AD
>>> DC .
>>> Rowland
>>> ------------------
>>> Thanks again!
>>> Yes - in this order:-
>>> # apt-get install -t wheezy-backports samba smbclient krb5-config
>>> krb5-user
>>> # samba-tool domain provision --use-rfc2307 --interactive
>>> # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
>>> Tested OK using:
>>> # host -t SRV _ldap._tcp.acasta.intra.
>>> # host -t SRV _kerberos._udp. acasta.intra.
>>> # host -t A kepler. acasta.intra.
>>> # kinit administrator at ACASTA.INTRA
>>> # klist
>>> I am trying to ssh into my AD-DC box using a domain account (as a
>>> starter!)
>> OK, in which case why don't you just use winbind ? it works for me,
>> exactly the same configuration as you, or do want to do something else
>> and if so what ?
>> Rowland
> Hi Rowland - it's probably my misunderstanding, but basically, I'm
> aiming to authenticate all network services (smtp, imap, file and print)
> to the AD in order to take advantage of a single domain account per
> user.   I achieved all of this under samba3 using 'unix password sync'.

Further info running nslcd debug (anyone know what the 3 stars are (***)
in "ldap_simple_bind_s" below?

nslcd: [7b23c6] DEBUG: connection from pid=17975 uid=0 gid=0
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> DEBUG:
nslcd: [7b23c6] <passwd(all)> failed to bind to LDAP server
ldap://kepler.acasta.intra/: Invalid credentials: Simple Bind Failed:
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [7b23c6] <passwd(all)> no available LDAP server found: Invalid

More information about the samba mailing list