[Samba] Cannot bind to AD using nslcd

Rob Mason rob.mason at acasta.co.uk
Wed Nov 19 10:13:27 MST 2014 

Thanks Min.

I have nsswitch configured with:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

I have pam.conf configured with 'pam_ldap.so'


Is this what you mean???


On 19/11/2014 17:07, Min Wai Chan wrote:
> Hi Rob,
>
> What is not working now...
>
> once using AD DC you cannot think of unix password sync anymore..
>
> When using unix password sync, there are a local account and password.
>
> But in AD DC + Nslcd...
>
> We need the help from Pam or Native LDAP/AD
>
> So the program you use must use pam authentication or LDAP/AD
>
>
>
>
> On Thu, Nov 20, 2014 at 12:58 AM, Rob Mason <rob.mason at acasta.co.uk> wrote:
>
>> On 19/11/2014 16:51, Rowland Penny wrote:
>>> On 19/11/14 16:42, Rob Mason wrote:
>>>> <--snip-->
>>>>
>>>> OK, can you confirm that you are using samba 4.1.11 from backports,
>>>> you have
>>>> created the user 'nslcd-connect' in AD and you are trying to ssh into
>>>> the AD
>>>> DC .
>>>>
>>>> Rowland
>>>>
>>>> ------------------
>>>>
>>>> Thanks again!
>>>>
>>>> Yes - in this order:-
>>>>
>>>> # apt-get install -t wheezy-backports samba smbclient krb5-config
>>>> krb5-user
>>>> # samba-tool domain provision --use-rfc2307 --interactive
>>>> # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
>>>>
>>>> Tested OK using:
>>>>
>>>> # host -t SRV _ldap._tcp.acasta.intra.
>>>> # host -t SRV _kerberos._udp. acasta.intra.
>>>> # host -t A kepler. acasta.intra.
>>>> # kinit administrator at ACASTA.INTRA
>>>> # klist
>>>>
>>>> I am trying to ssh into my AD-DC box using a domain account (as a
>>>> starter!)
>>>>
>>>>
>>> OK, in which case why don't you just use winbind ? it works for me,
>>> exactly the same configuration as you, or do want to do something else
>>> and if so what ?
>>>
>>> Rowland
>>>
>> Hi Rowland - it's probably my misunderstanding, but basically, I'm
>> aiming to authenticate all network services (smtp, imap, file and print)
>> to the AD in order to take advantage of a single domain account per
>> user.   I achieved all of this under samba3 using 'unix password sync'.
>>

More information about the samba mailing list