[Samba] can't connect ldapsearch with samba 4
Rowland penny
rpenny at samba.org
Sun Jun 19 18:14:19 UTC 2016
On 19/06/16 17:55, Trenta sis wrote:
> Hi,
>
> First of all thans for you answer.
>
> I have tried but is not working, we receive:
>
> # kinit administrator
> Password for administrator at DOM.COM:
> Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12
> PM CEST
>
> # ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null)
> Failed to connect to ldap://debian8DC1 - (null)
>
> It is possible to keep same or similar configuration used with samba 3 +
> openldap to make querys to ldap, we have many scripts using ldapsearch...
> It is possible keep scripts using ldapsearch?
>
> Thanks
>
>
> 2016-06-17 16:20 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:
>
>> Hi,
>>
>> I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
>> data and it seems correct, but now we need to connect with ldapsearch but
>> always receive errors like
>> ldap_bind: Strong(er) authentication required (8)
>> additional info: BindSimple: Transport encryption required.
>>
>> command used is
>> /usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
>> "uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"
>>
>> I have tested authentication with ssl from an external application and
>> work OK and seems correctly configured
>>
>> I have tried to run ldapsearch with ssl and without but always receive
>> errors. Using ldapadmin client I can connect with gssapi with port 389, but
>> with ldapsearch I can't work...
>>
>> how can I query samba 4 AD ldap with ldapsearch?
>>
>>
>> Thanks
>>
OK, I think your search isn't quite right, when I kinit as
Administrator, then run this:
rowland at devstation:~$ ldbsearch -H ldap://dc1 -b
"dc=samdom,dc=example,dc=com" -s sub '(samaccountname=Administrator)' -k yes
I get this:
# record 1
dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20151106115615.0Z
uSNCreated: 3545
name: Administrator
objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 130912845750000000
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
adminCount: 1
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
om
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com
memberOf: CN=Group Policy Creator
Owners,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
userAccountControl: 66048
accountExpires: 0
lastLogonTimestamp: 131107485215380620
whenChanged: 20160618183521.0Z
uSNChanged: 228749
lastLogon: 131108323871862570
distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com
# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com
# Referral
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com
# Referral
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com
# returned 4 records
# 1 entries
# 3 referrals
So you see it does work.
Only thing else I can think of, do you have libpam-krb5 installed on the
DC & Unix clients ?
Rowland
More information about the samba
mailing list