[Samba] Cannot bind to AD using nslcd
Rowland Penny
rowlandpenny at googlemail.com
Wed Nov 19 10:16:24 MST 2014
On 19/11/14 17:10, Rob Mason wrote:
> On 19/11/2014 17:04, Rowland Penny wrote:
>> On 19/11/14 16:58, Rob Mason wrote:
>>> On 19/11/2014 16:51, Rowland Penny wrote:
>>>> On 19/11/14 16:42, Rob Mason wrote:
>>>>> <--snip-->
>>>>>
>>>>> OK, can you confirm that you are using samba 4.1.11 from backports,
>>>>> you have
>>>>> created the user 'nslcd-connect' in AD and you are trying to ssh into
>>>>> the AD
>>>>> DC .
>>>>>
>>>>> Rowland
>>>>>
>>>>> ------------------
>>>>>
>>>>> Thanks again!
>>>>>
>>>>> Yes - in this order:-
>>>>>
>>>>> # apt-get install -t wheezy-backports samba smbclient krb5-config
>>>>> krb5-user
>>>>> # samba-tool domain provision --use-rfc2307 --interactive
>>>>> # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
>>>>>
>>>>> Tested OK using:
>>>>>
>>>>> # host -t SRV _ldap._tcp.acasta.intra.
>>>>> # host -t SRV _kerberos._udp. acasta.intra.
>>>>> # host -t A kepler. acasta.intra.
>>>>> # kinit administrator at ACASTA.INTRA
>>>>> # klist
>>>>>
>>>>> I am trying to ssh into my AD-DC box using a domain account (as a
>>>>> starter!)
>>>>>
>>>>>
>>>> OK, in which case why don't you just use winbind ? it works for me,
>>>> exactly the same configuration as you, or do want to do something else
>>>> and if so what ?
>>>>
>>>> Rowland
>>>>
>>> Hi Rowland - it's probably my misunderstanding, but basically, I'm
>>> aiming to authenticate all network services (smtp, imap, file and print)
>>> to the AD in order to take advantage of a single domain account per
>>> user. I achieved all of this under samba3 using 'unix password sync'.
>>>
>>>
>>>
>>>
>> I hope that you aren't thinking of using the AD DC to store all these,
>> if so, then I would suggest that you set up a member server and use
>> this instead :
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Rowland
>>
> Thanks. I have three servers. The AD-DC then a print/fileserver, and,
> finally a smtp/imap server. I have made an assumption that the other
> two servers will require 'nslcd' to authenticate against the AD-DC
> domain accounts. I have no requirement for SMB service on that third
> server.
>
> My objective is for DoeJ at ACASTA.INTRA to log onto a domain account on a
> Win7 workstation and access print, file and email services from the
> network using that single domain account. I have little experience with
> winbind - is that a better option that attempting ldap integration???
>
>
>
>
>
iRedmail has a page on integrating with AD :
http://www.iredmail.org/docs/active.directory.html
I know that you are probably not using iRedmail, but this should give
you some idea of the direction to go.
Rowland
More information about the samba
mailing list