[Samba] Samba43 on FreeBDS10.3 ldap db contents

Rowland penny rpenny at samba.org
Wed Jul 6 20:54:47 UTC 2016 

On 06/07/16 21:27, James B. Byrne wrote:
> I am working through the book _Implementing Samba 4_ and revalidating
> my existing install.  I am at the point where I need to check the
> contents of the ldap database.  The instructions in the book say to do
> this:

What book??
Have you tried reading the Samba wiki: 
https://wiki.samba.org/index.php/Main_Page

>
> ldapsearch -x -h localhost -s base - \
>    Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> -W

I take it you are running the above command on the Samba 4 DC, try this 
instead:

ldbsearch -H ldap://localhost -b 
'cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca' -s sub 
(cn=Administrator)' -U <a domain user>

>
> Which produces this output:
>
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope baseObject
> # filter: (objectclass=*)
> # requesting: -
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> -W
> #
>
> #
> dn:
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Which I take to be a success given the result.

Ah no, it should have dumped the entire AD contents.

> But this does not ask
> for the Password as I expected.  Moving the -W switch to before the
> subject name results in a password prompt but entering the
> Administrator password fails authentication:
>
> ldapsearch -vv -x -h localhost -s base -W -
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> ldap_initialize( ldap://localhost )
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>          additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
>
>
> What am I doing wrong?  I am trying all this as the root user.  There
> is no Administrator user in /etc/passwd.  Are the credentials being
> requested those for the root user or for the Administrator user?
> Neither work.  Why is it succeeding when no password is requested?

It isn't succeeding and  I suggest you use ldb-tools instead of ldap-tools

Rowland

>   If
> I do a klist then this is the result:
>
>   klist
> Credentials cache: FILE:/tmp/krb5cc_0
>          Principal: Administrator at DOMAIN-02.HARTE-LYNE.CA
>
>    Issued                Expires               Principal
> Jul  6 15:11:53 2016  Jul  7 01:11:53 2016
> krbtgt/DOMAIN-02.HARTE-LYNE.CA at DOMAIN-02.HARTE-LYNE.CA
>
>
> is this where ldap is getting its authentication?
>
> I request your indulgence with respect to these questions. It has been
> about 15 years since I last set up an AD-DC and I have zero previous
> experience with Samba.
>

More information about the samba mailing list