[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access

Alan Hughes alanhughes at e2eservices.co.uk
Fri Jul 8 12:01:56 UTC 2016


Yep that fixed it. I found out (at the same time as the reply Guilherme arrived in my inbox)  that option was added in 4.2.10. Added to smb.conf and everything is now working again.

 
Alan
 
-----Original message-----
From:Guilherme Boing <kolt+samba at frag.com.br>
Sent:Fri 08-07-2016 12:59
Subject:Re: [Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
To:Alan Hughes <alanhughes at e2eservices.co.uk>; 
CC:samba at lists.samba.org; 
 
Hello Alan,
 I had the same issue and I needed to add this line:
ldap server require strong auth = no
 to smb.conf.
 Then, just restart/reload samba and it should work.

On Fri, Jul 8, 2016 at 8:37 AM, Alan Hughes <alanhughes at e2eservices.co.uk> wrote:
Last night we updated out Samba-4 AD server to version 4.2.14 usng the SERNEt packages, running on SLES 12. We have a number of services (mail services, MANTIS, etc) that access the server via the LDAP interface and in all cases we discovered that none of them where able to establish a successful LDAP connection after the upgrade.
 
  
 Previously we used plain LDAP to access the server, i.e. we did not use SSL/TLS. However it appears that the Samba-4 server is now insisting on using SSL/TLS regardless of the settings; if I attempt to perform an LDAP query without SSL/TLS I get:
 
  
 ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b **
 ldap_bind: Strong(er) authentication required (8)
         additional info: BindSimple: Transport encryption required.
 
  
 Note that this used to work prior to the upgrade.
 
  
 Attempting to access via TLS:
 
  
 ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z
 ldap_bind: Strong(er) authentication required (8)
         additional info: BindSimple: Transport encryption required.
 
  
 Attempting to access via SSL:
 
  
 ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b **
 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
 
  
 Note that we have not installed any certificates since we are not wanting to use encrypted connections at the moment.
 
  
 Setting "enable tls = no" in "smb.conf" does not work - we see the same as above.
 
  
 Does anyone have any ideas? I'm stuck on this.
 
  
 Further information (just in case someone thinks it might be useful - the global section from our "smb.conf" file:
 
  
 [global]
         workgroup = E2E
         realm = AD.CORPORATE.E2E
         netbios name = JANUS
         server role = active directory domain controller
         server services = -dns, -dnsupdate, -winbind, +winbindd
         dns forwarder = 217.13.128.17
         idmap_ldb:use rfc2307 = yes
         idmap config E2E:backend = ad
         idmap config E2E:schema_mode = rfc2307
         idmap config E2E:range = 10000-40000
         idmap config *:backend = tdb
         idmap config *:range = 2000-9999
         winbind nss info = rfc2307
         rpc_server:spoolss = external
         rpc_daemon:spoolssd = fork
 
  
 Port status:
 
  
 tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN      12317/samba
 tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      12321/samba
 tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      12321/samba
 tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      12321/samba
 tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      12317/samba
 tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      12323/samba
 tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      12323/samba
 tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      12321/samba
 tcp        0      0 :::1024                 :::*                    LISTEN      12317/samba
 tcp        0      0 :::3268                 :::*                    LISTEN      12321/samba
 tcp        0      0 :::3269                 :::*                    LISTEN      12321/samba
 tcp        0      0 :::389                  :::*                    LISTEN      12321/samba
 tcp        0      0 :::135                  :::*                    LISTEN      12317/samba
 tcp        0      0 :::464                  :::*                    LISTEN      12323/samba
 tcp        0      0 :::88                   :::*                    LISTEN      12323/samba
 tcp        0      0 :::636                  :::*                    LISTEN      12321/samba
  
 Thanks in advance.
 
  
 Alan
 
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
 
 


More information about the samba mailing list