[Samba] Cannot bind to AD using nslcd

Rob Mason rob.mason at acasta.co.uk
Wed Nov 19 10:02:19 MST 2014 

On 19/11/2014 16:58, Rob Mason wrote:
> On 19/11/2014 16:51, Rowland Penny wrote:
>> On 19/11/14 16:42, Rob Mason wrote:
>>> <--snip-->
>>>
>>> OK, can you confirm that you are using samba 4.1.11 from backports,
>>> you have
>>> created the user 'nslcd-connect' in AD and you are trying to ssh into
>>> the AD
>>> DC .
>>>
>>> Rowland
>>>
>>> ------------------
>>>
>>> Thanks again!
>>>
>>> Yes - in this order:-
>>>
>>> # apt-get install -t wheezy-backports samba smbclient krb5-config
>>> krb5-user
>>> # samba-tool domain provision --use-rfc2307 --interactive
>>> # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
>>>
>>> Tested OK using:
>>>
>>> # host -t SRV _ldap._tcp.acasta.intra.
>>> # host -t SRV _kerberos._udp. acasta.intra.
>>> # host -t A kepler. acasta.intra.
>>> # kinit administrator at ACASTA.INTRA
>>> # klist
>>>
>>> I am trying to ssh into my AD-DC box using a domain account (as a
>>> starter!)
>>>
>>>
>> OK, in which case why don't you just use winbind ? it works for me,
>> exactly the same configuration as you, or do want to do something else
>> and if so what ?
>>
>> Rowland
>>
> Hi Rowland - it's probably my misunderstanding, but basically, I'm
> aiming to authenticate all network services (smtp, imap, file and print)
> to the AD in order to take advantage of a single domain account per
> user.   I achieved all of this under samba3 using 'unix password sync'.
>

Further info running nslcd debug (anyone know what the 3 stars are (***)
in "ldap_simple_bind_s" below?

nslcd: [7b23c6] DEBUG: connection from pid=17975 uid=0 gid=0
nslcd: [7b23c6] <passwd(all)> DEBUG:
myldap_search(base="CN=Users,DC=acasta,DC=intra",
filter="(objectClass=posixAccount)")
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_initialize(ldap://kepler.acasta.intra/)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd(all)> DEBUG:
ldap_simple_bind_s("CN=lcd-connect,CN=Users,DC=acasta,DC=intra","***")
(uri="ldap://kepler.acasta.intra/")
nslcd: [7b23c6] <passwd(all)> failed to bind to LDAP server
ldap://kepler.acasta.intra/: Invalid credentials: Simple Bind Failed:
NT_STATUS_LOGON_FAILURE
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_unbind()
nslcd: [7b23c6] <passwd(all)> no available LDAP server found: Invalid
credentials

More information about the samba mailing list