[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Alan Hughes
alanhughes at e2eservices.co.uk
Fri Jul 8 12:01:56 UTC 2016
Yep that fixed it. I found out (at the same time as the reply Guilherme arrived in my inbox) that option was added in 4.2.10. Added to smb.conf and everything is now working again.
Alan
-----Original message-----
From:Guilherme Boing <kolt+samba at frag.com.br>
Sent:Fri 08-07-2016 12:59
Subject:Re: [Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
To:Alan Hughes <alanhughes at e2eservices.co.uk>;
CC:samba at lists.samba.org;
Hello Alan,
I had the same issue and I needed to add this line:
ldap server require strong auth = no
to smb.conf.
Then, just restart/reload samba and it should work.
On Fri, Jul 8, 2016 at 8:37 AM, Alan Hughes <alanhughes at e2eservices.co.uk> wrote:
Last night we updated out Samba-4 AD server to version 4.2.14 usng the SERNEt packages, running on SLES 12. We have a number of services (mail services, MANTIS, etc) that access the server via the LDAP interface and in all cases we discovered that none of them where able to establish a successful LDAP connection after the upgrade.
Previously we used plain LDAP to access the server, i.e. we did not use SSL/TLS. However it appears that the Samba-4 server is now insisting on using SSL/TLS regardless of the settings; if I attempt to perform an LDAP query without SSL/TLS I get:
ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b **
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
Note that this used to work prior to the upgrade.
Attempting to access via TLS:
ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
Attempting to access via SSL:
ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b **
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Note that we have not installed any certificates since we are not wanting to use encrypted connections at the moment.
Setting "enable tls = no" in "smb.conf" does not work - we see the same as above.
Does anyone have any ideas? I'm stuck on this.
Further information (just in case someone thinks it might be useful - the global section from our "smb.conf" file:
[global]
workgroup = E2E
realm = AD.CORPORATE.E2E
netbios name = JANUS
server role = active directory domain controller
server services = -dns, -dnsupdate, -winbind, +winbindd
dns forwarder = 217.13.128.17
idmap_ldb:use rfc2307 = yes
idmap config E2E:backend = ad
idmap config E2E:schema_mode = rfc2307
idmap config E2E:range = 10000-40000
idmap config *:backend = tdb
idmap config *:range = 2000-9999
winbind nss info = rfc2307
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
Port status:
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 12317/samba
tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 12321/samba
tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 12321/samba
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 12321/samba
tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 12317/samba
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 12323/samba
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 12323/samba
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 12321/samba
tcp 0 0 :::1024 :::* LISTEN 12317/samba
tcp 0 0 :::3268 :::* LISTEN 12321/samba
tcp 0 0 :::3269 :::* LISTEN 12321/samba
tcp 0 0 :::389 :::* LISTEN 12321/samba
tcp 0 0 :::135 :::* LISTEN 12317/samba
tcp 0 0 :::464 :::* LISTEN 12323/samba
tcp 0 0 :::88 :::* LISTEN 12323/samba
tcp 0 0 :::636 :::* LISTEN 12321/samba
Thanks in advance.
Alan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list