[Samba] Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2
Andrew Bartlett
abartlet at samba.org
Thu Apr 14 19:32:42 UTC 2016
On Thu, 2016-04-14 at 08:52 -0400, lingpanda101 at gmail.com wrote:
> On 4/13/2016 1:48 PM, lingpanda101 at gmail.com wrote:
> > On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote:
> > > Hello,
> > >
> > > After upgrading all external services will no longer
> > > authenticate
> > > to the domain. One of those is osTicket. Looking through the
> > > release
> > > notes I figured this would happen. However I'm a bit tentative to
> > > make changes to my smb.conf without doing damage and asking for
> > > help
> > > from the list. I have 6 DC's. One holds all the FMSO roles. This
> > > is
> > > the smb.conf from that DC.
> > >
> > > [global]
> > > workgroup = DOMAIN
> > > realm = DOMAIN.LOCAL
> > > netbios name = PFDC1
> > > server role = active directory domain controller
> > > dns forwarder = 8.8.8.8
> > > idmap_ldb:use rfc2307 = Yes
> > >
> > > log level = 0
> > > logging = syslog at 1 file
> > > debug uid = Yes
> > > debug pid = Yes
> > >
> > > allow dns updates = nonsecure
> > >
> > > load printers = No
> > > printcap name = /dev/null
> > > disable spoolss = Yes
> > >
> > > # Add and Update TLS Key
> > > tls enabled = yes
> > > tls keyfile = tls/sambaKey.pem
> > > tls certfile = tls/sambaCert.pem
> > > tls cafile =
> > >
> > >
> > > [netlogon]
> > > path =
> > > /usr/local/samba/var/locks/sysvol/domain.local/scripts
> > > read only = No
> > >
> > > [sysvol]
> > > path = /usr/local/samba/var/locks/sysvol
> > > read only = No
> > >
> > >
> > > The only difference this DC has in it's smb.conf from the others
> > > is
> > > the TLS key section. I needed to create a custom self-signed
> > > certificate for another service that required a stronger key.
> > > 2048
> > > bit. Not sure if this has any bearing on my issue. I think my
> > > issue
> > > has to do with the the following value
> > >
> > > 'ldap server require strong auth = yes'
> > >
> > > Is this where I should be looking? For reference this is how I
> > > setup
> > > osTicket parameters for external ldap authentication.
> > >
> > > http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap
> > > -authentication/
> > >
> > >
> > > Dc's are all Ubuntu 12.04. Installed Samba from tar and the
> > > following
> > > commands.
> > >
> > > ./configure
> > > make
> > > make install
> > >
> > > Installation went fine without error. Thanks.
> > >
> > As I suspected the line
> >
> > 'ldap server require strong auth = yes'
> >
> > does play a role. Setting this to no allowed external
> > authentication
> > again. Not with osTicket. It allowed other services I was having
> > issues authenticating with. I will attempt to enable TLS on those
> > applications so I can use the default behavior.
> >
> >
> >
> >
> >
> >
> The issue with osTicket was I needed to add 'ldap server require
> strong
> auth = yes' to the second DC's smb.conf in the site. Oversight on my
> part.
>
> Can someone explain the difference between 'allow_sasl_over_tls' and
> 'yes' options? More specifically 'yes', as the prior option seems
> self
> explanatory. Thanks.
When set to 'yes', we only allow simple binds over TLS.
When using SASL, it is more secure to use the sign/seal protection
provided by SASL rather than just wrapping it in TLS, as so few clients
actually check SSL certificates.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list