[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access

Alan Hughes alanhughes at e2eservices.co.uk
Fri Jul 8 11:37:02 UTC 2016


Last night we updated out Samba-4 AD server to version 4.2.14 usng the SERNEt packages, running on SLES 12. We have a number of services (mail services, MANTIS, etc) that access the server via the LDAP interface and in all cases we discovered that none of them where able to establish a successful LDAP connection after the upgrade.

 
Previously we used plain LDAP to access the server, i.e. we did not use SSL/TLS. However it appears that the Samba-4 server is now insisting on using SSL/TLS regardless of the settings; if I attempt to perform an LDAP query without SSL/TLS I get:

 
ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b **
ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

 
Note that this used to work prior to the upgrade.

 
Attempting to access via TLS:

 
ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z
ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

 
Attempting to access via SSL:

 
ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b **
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

 
Note that we have not installed any certificates since we are not wanting to use encrypted connections at the moment.

 
Setting "enable tls = no" in "smb.conf" does not work - we see the same as above.

 
Does anyone have any ideas? I'm stuck on this.

 
Further information (just in case someone thinks it might be useful - the global section from our "smb.conf" file:

 
[global]
        workgroup = E2E
        realm = AD.CORPORATE.E2E
        netbios name = JANUS
        server role = active directory domain controller
        server services = -dns, -dnsupdate, -winbind, +winbindd
        dns forwarder = 217.13.128.17
        idmap_ldb:use rfc2307 = yes
        idmap config E2E:backend = ad
        idmap config E2E:schema_mode = rfc2307
        idmap config E2E:range = 10000-40000
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999
        winbind nss info = rfc2307
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork

 
Port status:

 
tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN      12317/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      12317/samba
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      12323/samba
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      12323/samba
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 :::1024                 :::*                    LISTEN      12317/samba
tcp        0      0 :::3268                 :::*                    LISTEN      12321/samba
tcp        0      0 :::3269                 :::*                    LISTEN      12321/samba
tcp        0      0 :::389                  :::*                    LISTEN      12321/samba
tcp        0      0 :::135                  :::*                    LISTEN      12317/samba
tcp        0      0 :::464                  :::*                    LISTEN      12323/samba
tcp        0      0 :::88                   :::*                    LISTEN      12323/samba
tcp        0      0 :::636                  :::*                    LISTEN      12321/samba
 
Thanks in advance.

 
Alan



More information about the samba mailing list