[Samba] Cannot bind to AD using nslcd

Rob Mason rob.mason at acasta.co.uk
Wed Nov 19 10:24:12 MST 2014


Rob Mason
07770 578764

On 19/11/2014 17:16, Rowland Penny wrote:
> On 19/11/14 17:10, Rob Mason wrote:
>> On 19/11/2014 17:04, Rowland Penny wrote:
>>> On 19/11/14 16:58, Rob Mason wrote:
>>>> On 19/11/2014 16:51, Rowland Penny wrote:
>>>>> On 19/11/14 16:42, Rob Mason wrote:
>>>>>> <--snip-->
>>>>>>
>>>>>> OK, can you confirm that you are using samba 4.1.11 from backports,
>>>>>> you have
>>>>>> created the user 'nslcd-connect' in AD and you are trying to ssh
>>>>>> into
>>>>>> the AD
>>>>>> DC .
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> ------------------
>>>>>>
>>>>>> Thanks again!
>>>>>>
>>>>>> Yes - in this order:-
>>>>>>
>>>>>> # apt-get install -t wheezy-backports samba smbclient krb5-config
>>>>>> krb5-user
>>>>>> # samba-tool domain provision --use-rfc2307 --interactive
>>>>>> # ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
>>>>>>
>>>>>> Tested OK using:
>>>>>>
>>>>>> # host -t SRV _ldap._tcp.acasta.intra.
>>>>>> # host -t SRV _kerberos._udp. acasta.intra.
>>>>>> # host -t A kepler. acasta.intra.
>>>>>> # kinit administrator at ACASTA.INTRA
>>>>>> # klist
>>>>>>
>>>>>> I am trying to ssh into my AD-DC box using a domain account (as a
>>>>>> starter!)
>>>>>>
>>>>>>
>>>>> OK, in which case why don't you just use winbind ? it works for me,
>>>>> exactly the same configuration as you, or do want to do something
>>>>> else
>>>>> and if so what ?
>>>>>
>>>>> Rowland
>>>>>
>>>> Hi Rowland - it's probably my misunderstanding, but basically, I'm
>>>> aiming to authenticate all network services (smtp, imap, file and
>>>> print)
>>>> to the AD in order to take advantage of a single domain account per
>>>> user.   I achieved all of this under samba3 using 'unix password
>>>> sync'.
>>>>
>>>>
>>>>
>>>>
>>> I hope that you aren't thinking of using the AD DC to store all these,
>>> if so, then I would suggest that you set up a member server and use
>>> this instead :
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> Rowland
>>>
>> Thanks.  I have three servers.  The AD-DC then a print/fileserver, and,
>> finally a smtp/imap server.  I have made an assumption that the other
>> two servers will require 'nslcd' to authenticate against the AD-DC
>> domain accounts.  I have no requirement for SMB service on that third
>> server.
>>
>> My objective is for DoeJ at ACASTA.INTRA to log onto a domain account on a
>> Win7 workstation and access print, file and email services from the
>> network using that single domain account. I have little experience with
>> winbind - is that a better option that attempting ldap integration???
>>
>>
>>
>>
>>
> iRedmail has a page on integrating with AD :
> http://www.iredmail.org/docs/active.directory.html
>
> I know that you are probably not using iRedmail, but this should give
> you some idea of the direction to go.
>
> Rowland
>
Thanks for your help Rowland.  The iredmail isn't really the approach I
would desire.  I guess I'm being too ambitious!  I thought I would be
able to redirect all authentication requests via nslcd.  I'm going to
have to sit down and have a rethink!




More information about the samba mailing list