[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
L.P.H. van Belle
belle at bazuin.nl
Fri Jul 8 12:02:05 UTC 2016
Hai,
Please read :
https://www.samba.org/samba/history/
from 12 April 2016 and below that.
Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases Available for Download
What you see is correct.
And
> Note that we have not installed any certificates since we are not wanting
> to use encrypted connections at the moment.
Then set :
ldap server require strong auth = no
but please read the change logs it explains all.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alan Hughes
> Verzonden: vrijdag 8 juli 2016 13:37
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
>
> Last night we updated out Samba-4 AD server to version 4.2.14 usng the
> SERNEt packages, running on SLES 12. We have a number of services (mail
> services, MANTIS, etc) that access the server via the LDAP interface and
> in all cases we discovered that none of them where able to establish a
> successful LDAP connection after the upgrade.
>
>
> Previously we used plain LDAP to access the server, i.e. we did not use
> SSL/TLS. However it appears that the Samba-4 server is now insisting on
> using SSL/TLS regardless of the settings; if I attempt to perform an LDAP
> query without SSL/TLS I get:
>
>
> ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b **
> ldap_bind: Strong(er) authentication required (8)
> additional info: BindSimple: Transport encryption required.
>
>
> Note that this used to work prior to the upgrade.
>
>
> Attempting to access via TLS:
>
>
> ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z
> ldap_bind: Strong(er) authentication required (8)
> additional info: BindSimple: Transport encryption required.
>
>
> Attempting to access via SSL:
>
>
> ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b **
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
> Note that we have not installed any certificates since we are not wanting
> to use encrypted connections at the moment.
>
>
> Setting "enable tls = no" in "smb.conf" does not work - we see the same as
> above.
>
>
> Does anyone have any ideas? I'm stuck on this.
>
>
> Further information (just in case someone thinks it might be useful - the
> global section from our "smb.conf" file:
>
>
> [global]
> workgroup = E2E
> realm = AD.CORPORATE.E2E
> netbios name = JANUS
> server role = active directory domain controller
> server services = -dns, -dnsupdate, -winbind, +winbindd
> dns forwarder = 217.13.128.17
> idmap_ldb:use rfc2307 = yes
> idmap config E2E:backend = ad
> idmap config E2E:schema_mode = rfc2307
> idmap config E2E:range = 10000-40000
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> winbind nss info = rfc2307
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
>
>
> Port status:
>
>
> tcp 0 0 0.0.0.0:1024 0.0.0.0:*
> LISTEN 12317/samba
> tcp 0 0 0.0.0.0:3268 0.0.0.0:*
> LISTEN 12321/samba
> tcp 0 0 0.0.0.0:3269 0.0.0.0:*
> LISTEN 12321/samba
> tcp 0 0 0.0.0.0:389 0.0.0.0:*
> LISTEN 12321/samba
> tcp 0 0 0.0.0.0:135 0.0.0.0:*
> LISTEN 12317/samba
> tcp 0 0 0.0.0.0:464 0.0.0.0:*
> LISTEN 12323/samba
> tcp 0 0 0.0.0.0:88 0.0.0.0:*
> LISTEN 12323/samba
> tcp 0 0 0.0.0.0:636 0.0.0.0:*
> LISTEN 12321/samba
> tcp 0 0 :::1024 :::*
> LISTEN 12317/samba
> tcp 0 0 :::3268 :::*
> LISTEN 12321/samba
> tcp 0 0 :::3269 :::*
> LISTEN 12321/samba
> tcp 0 0 :::389 :::*
> LISTEN 12321/samba
> tcp 0 0 :::135 :::*
> LISTEN 12317/samba
> tcp 0 0 :::464 :::*
> LISTEN 12323/samba
> tcp 0 0 :::88 :::*
> LISTEN 12323/samba
> tcp 0 0 :::636 :::*
> LISTEN 12321/samba
>
> Thanks in advance.
>
>
> Alan
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list