[Samba] Samba43 on FreeBDS10.3 ldap db contents
Achim Gottinger
achim at ag-web.biz
Wed Jul 6 22:01:13 UTC 2016
Am 06.07.2016 um 22:27 schrieb James B. Byrne:
> I am working through the book _Implementing Samba 4_ and revalidating
> my existing install. I am at the point where I need to check the
> contents of the ldap database. The instructions in the book say to do
> this:
>
> ldapsearch -x -h localhost -s base - \
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> -W
>
> Which produces this output:
>
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope baseObject
> # filter: (objectclass=*)
> # requesting: -
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> -W
> #
>
> #
> dn:
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Which I take to be a success given the result. But this does not ask
> for the Password as I expected. Moving the -W switch to before the
> subject name results in a password prompt but entering the
> Administrator password fails authentication:
>
> ldapsearch -vv -x -h localhost -s base -W -
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> ldap_initialize( ldap://localhost )
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
>
>
> What am I doing wrong? I am trying all this as the root user. There
> is no Administrator user in /etc/passwd. Are the credentials being
> requested those for the root user or for the Administrator user?
> Neither work. Why is it succeeding when no password is requested? If
> I do a klist then this is the result:
>
> klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: Administrator at DOMAIN-02.HARTE-LYNE.CA
>
> Issued Expires Principal
> Jul 6 15:11:53 2016 Jul 7 01:11:53 2016
> krbtgt/DOMAIN-02.HARTE-LYNE.CA at DOMAIN-02.HARTE-LYNE.CA
>
>
> is this where ldap is getting its authentication?
>
> I request your indulgence with respect to these questions. It has been
> about 15 years since I last set up an AD-DC and I have zero previous
> experience with Samba.
>
If you want to stick with ldap-tools instead of ldb-tools you have a few
options.
1. Use TLS and the samba CA Cert.
Add
TLS_CACERT /var/lib/samba/private/tls/ca.pem
To /etc/ldap/lkdap.conf, the path to the file may be different on your
machine.
If the Cert is expired and you do not want to renew it you may also use
TLS_REQCERT allow
Instead.
Now add the -Z option to yout ldapsearch parameters and the query should
succeed.
2. Use GSSAPI
Add
SASL_MECH gssapi
to /etc/ldap/ldap.conf
Run kinit Administrator
Afterwards ldapsearch works without -W -x (-Z).
3. Allow simple binds (unsecure)
Add
ldap server require strong auth = no
to smb.conf, restart samba and your querys should work unmodified.
More information about the samba
mailing list