[Samba] Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2

Rowland penny rpenny at samba.org
Thu Apr 14 14:13:40 UTC 2016


On 14/04/16 13:52, lingpanda101 at gmail.com wrote:
> On 4/13/2016 1:48 PM, lingpanda101 at gmail.com wrote:
>> On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote:
>>> Hello,
>>>
>>>     After upgrading all external services will no longer 
>>> authenticate to the domain. One of those is osTicket. Looking 
>>> through the release notes I figured this would happen. However I'm a 
>>> bit tentative to make changes to my smb.conf without doing damage 
>>> and asking for help from the list. I have 6 DC's. One holds all the 
>>> FMSO roles. This is the smb.conf from that DC.
>>>
>>> [global]
>>>         workgroup = DOMAIN
>>>         realm = DOMAIN.LOCAL
>>>         netbios name = PFDC1
>>>         server role = active directory domain controller
>>>         dns forwarder = 8.8.8.8
>>>         idmap_ldb:use rfc2307 = Yes
>>>
>>>         log level = 0
>>>         logging = syslog at 1 file
>>>         debug uid = Yes
>>>         debug pid = Yes
>>>
>>>         allow dns updates = nonsecure
>>>
>>>         load printers = No
>>>         printcap name = /dev/null
>>>         disable spoolss = Yes
>>>
>>>         # Add and Update TLS Key
>>>         tls enabled = yes
>>>         tls keyfile = tls/sambaKey.pem
>>>         tls certfile = tls/sambaCert.pem
>>>         tls cafile =
>>>
>>>
>>> [netlogon]
>>>         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /usr/local/samba/var/locks/sysvol
>>>         read only = No
>>>
>>>
>>> The only difference this DC has in it's smb.conf from the others is 
>>> the TLS key section. I needed to create a custom self-signed 
>>> certificate for another service that required a stronger key. 2048 
>>> bit. Not sure if this has any bearing on my issue. I think my issue 
>>> has to do with the the following value
>>>
>>> 'ldap server require strong auth = yes'
>>>
>>> Is this where I should be looking? For reference this is how I setup 
>>> osTicket parameters for external ldap authentication.
>>>
>>> http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/ 
>>>
>>>
>>> Dc's are all Ubuntu 12.04. Installed Samba from tar and the 
>>> following commands.
>>>
>>> ./configure
>>> make
>>> make install
>>>
>>> Installation went fine without error. Thanks.
>>>
>> As I suspected the line
>>
>> 'ldap server require strong auth = yes'
>>
>> does play a role. Setting this to no allowed external authentication 
>> again. Not with osTicket. It allowed other services I was having 
>> issues authenticating with. I will attempt to enable TLS on those 
>> applications so I can use the default behavior.
>>
>>
>>
>>
>>
>>
> The issue with osTicket was I needed to add 'ldap server require 
> strong auth = yes' to the second DC's smb.conf in the site. Oversight 
> on my part.
>
> Can someone explain the difference between 'allow_sasl_over_tls' and 
> 'yes' options? More specifically 'yes', as the prior option seems self 
> explanatory. Thanks.
>

You will find the answer to that in the release notes here: 
https://www.samba.org/samba/history/samba-4.4.2.html

Rowland




More information about the samba mailing list