[Samba] Samba43 on FreeBDS10.3 ldap db contents

Achim Gottinger achim at ag-web.biz
Wed Jul 6 22:01:13 UTC 2016 


Am 06.07.2016 um 22:27 schrieb James B. Byrne:
> I am working through the book _Implementing Samba 4_ and revalidating
> my existing install.  I am at the point where I need to check the
> contents of the ldap database.  The instructions in the book say to do
> this:
>
> ldapsearch -x -h localhost -s base - \
>    Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> -W
>
> Which produces this output:
>
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope baseObject
> # filter: (objectclass=*)
> # requesting: -
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> -W
> #
>
> #
> dn:
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Which I take to be a success given the result.  But this does not ask
> for the Password as I expected.  Moving the -W switch to before the
> subject name results in a password prompt but entering the
> Administrator password fails authentication:
>
> ldapsearch -vv -x -h localhost -s base -W -
> Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
> ldap_initialize( ldap://localhost )
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>          additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
>
>
> What am I doing wrong?  I am trying all this as the root user.  There
> is no Administrator user in /etc/passwd.  Are the credentials being
> requested those for the root user or for the Administrator user?
> Neither work.  Why is it succeeding when no password is requested?  If
> I do a klist then this is the result:
>
>   klist
> Credentials cache: FILE:/tmp/krb5cc_0
>          Principal: Administrator at DOMAIN-02.HARTE-LYNE.CA
>
>    Issued                Expires               Principal
> Jul  6 15:11:53 2016  Jul  7 01:11:53 2016
> krbtgt/DOMAIN-02.HARTE-LYNE.CA at DOMAIN-02.HARTE-LYNE.CA
>
>
> is this where ldap is getting its authentication?
>
> I request your indulgence with respect to these questions. It has been
> about 15 years since I last set up an AD-DC and I have zero previous
> experience with Samba.
>
If you want to stick with ldap-tools instead of ldb-tools you have a few 
options.

1. Use TLS and the samba CA Cert.

Add

TLS_CACERT      /var/lib/samba/private/tls/ca.pem

To /etc/ldap/lkdap.conf, the path to the file may be different on your 
machine.

If the Cert is expired and you do not want to renew it you may also use

TLS_REQCERT allow

Instead.
Now add the -Z option to yout ldapsearch parameters and the query should 
succeed.

2. Use GSSAPI

Add

SASL_MECH gssapi

to /etc/ldap/ldap.conf

Run kinit Administrator
Afterwards ldapsearch works without -W -x (-Z).

3. Allow simple binds (unsecure)

Add

ldap server require strong auth = no

to smb.conf, restart samba and your querys should work unmodified.

More information about the samba mailing list