[Samba] Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2

lingpanda101 at gmail.com lingpanda101 at gmail.com
Thu Apr 14 12:52:48 UTC 2016 

On 4/13/2016 1:48 PM, lingpanda101 at gmail.com wrote:
> On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote:
>> Hello,
>>
>>     After upgrading all external services will no longer authenticate 
>> to the domain. One of those is osTicket. Looking through the release 
>> notes I figured this would happen. However I'm a bit tentative to 
>> make changes to my smb.conf without doing damage and asking for help 
>> from the list. I have 6 DC's. One holds all the FMSO roles. This is 
>> the smb.conf from that DC.
>>
>> [global]
>>         workgroup = DOMAIN
>>         realm = DOMAIN.LOCAL
>>         netbios name = PFDC1
>>         server role = active directory domain controller
>>         dns forwarder = 8.8.8.8
>>         idmap_ldb:use rfc2307 = Yes
>>
>>         log level = 0
>>         logging = syslog at 1 file
>>         debug uid = Yes
>>         debug pid = Yes
>>
>>         allow dns updates = nonsecure
>>
>>         load printers = No
>>         printcap name = /dev/null
>>         disable spoolss = Yes
>>
>>         # Add and Update TLS Key
>>         tls enabled = yes
>>         tls keyfile = tls/sambaKey.pem
>>         tls certfile = tls/sambaCert.pem
>>         tls cafile =
>>
>>
>> [netlogon]
>>         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>>
>> The only difference this DC has in it's smb.conf from the others is 
>> the TLS key section. I needed to create a custom self-signed 
>> certificate for another service that required a stronger key. 2048 
>> bit. Not sure if this has any bearing on my issue. I think my issue 
>> has to do with the the following value
>>
>> 'ldap server require strong auth = yes'
>>
>> Is this where I should be looking? For reference this is how I setup 
>> osTicket parameters for external ldap authentication.
>>
>> http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/ 
>>
>>
>> Dc's are all Ubuntu 12.04. Installed Samba from tar and the following 
>> commands.
>>
>> ./configure
>> make
>> make install
>>
>> Installation went fine without error. Thanks.
>>
> As I suspected the line
>
> 'ldap server require strong auth = yes'
>
> does play a role. Setting this to no allowed external authentication 
> again. Not with osTicket. It allowed other services I was having 
> issues authenticating with. I will attempt to enable TLS on those 
> applications so I can use the default behavior.
>
>
>
>
>
>
The issue with osTicket was I needed to add 'ldap server require strong 
auth = yes' to the second DC's smb.conf in the site. Oversight on my part.

Can someone explain the difference between 'allow_sasl_over_tls' and 
'yes' options? More specifically 'yes', as the prior option seems self 
explanatory. Thanks.

-- 
-James

More information about the samba mailing list