[Samba] LDAP authentication not working
Rowland Penny
rpenny at samba.org
Tue Jul 11 09:37:09 UTC 2017
On Mon, 10 Jul 2017 23:18:28 -0700 (PDT)
Bartra1212 via samba <samba at lists.samba.org> wrote:
> Hi everyone!
>
> I just upgraded my Samba PDC to a active directory (I followed the
> migration instruction of samba-wiki). Without any error message or
> something. *happy*
>
> My PDC was running with a bind9 and slapd->openLDAP. I just turned
> both services off and want to use the samba-internal ones.
>
> My problem now is that I can't login with my domain members (just
> tried it on my server -> debian stretch).here my details:
>
> *smb.com*
> [global]
> workgroup = EXAMPLE
> realm = example.com
> netbios name = PDC
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 8.8.8.8
> interfaces = br0
> ldap server require strong auth = no
> [netlogon]
> path = /var/lib/samba/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> *krb5.conf*
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> */etc/hosts*
> 127.0.0.1 localhost
> 192.168.0.2 hk-server-01.example.com hk-server-01
>
> */etc/hostname*
> hk-server-01
>
> */etc/resolv.conf*
> search example.com
> nameserver 192.168.0.1
>
> */etc/named.conf*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> */etc/named.conf.local*
> include "/var/lib/samba/private/named.conf";
>
> */etc/named.conf.options*
> options {
> directory "/var/cache/bind";
> version "0.0.7";
> notify no;
> empty-zones-enable no;
> allow-query { 127.0.0.1; 192.168.0.0/24; };
> allow-recursion { 192.168.0.0/24; 127.0.0.1/32; };
> forwarders { 8.8.8.8; };
> allow-transfer { none; };
> dnssec-validation no;
> dnssec-enable no;
>
> listen-on-v6 { none; };
> listen-on port 53 { 192.168.0.2; 127.0.0.1; };
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> */etc/named.conf.default-zones*
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> */etc/nsswitch.conf*
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap
> networks: files ldap
>
> protocols: db files ldap
> services: db files ldap
> ethers: db files ldap
> rpc: db files ldap
>
> netgroup: nis ldap
> aliases: ldap
>
> */etc/nslcd.conf*
> uid nslcd
> gid nslcd
> uri ldap://127.0.0.1/
> base dc=example,dc=com
> pagesize 1000
> referrals off
> ldap_version 3
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
>
>
>
> I tried
>
> The samba service is running but with a warning:
> ● samba-ad-dc.service - Samba AD Daemon
> Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
> Active: active (running) since Mon 2017-07-10 12:12:06 CEST; 3h
> 11min ago Docs: man:samba(8)
> man:samba(7)
> man:smb.conf(5)
> Main PID: 1247 (samba)
> Status: "smbd: ready to serve connections..."
> Memory: 202.4M
> CPU: 46.634s
> CGroup: /system.slice/samba-ad-dc.service
> ├─1247 /usr/sbin/samba
> ├─1299 /usr/sbin/samba
> ├─1300 /usr/sbin/samba
> ├─1301 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─1302 /usr/sbin/samba
> ├─1303 /usr/sbin/samba
> ├─1304 /usr/sbin/samba
> ├─1305 /usr/sbin/samba
> ├─1306 /usr/sbin/samba
> ├─1307 /usr/sbin/samba
> ├─1308 /usr/sbin/samba
> ├─1309 /usr/sbin/samba
> ├─1310 /usr/sbin/samba
> ├─1311 /usr/sbin/samba
> ├─1312 /usr/sbin/samba
> ├─1313 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ├─1345 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─1346 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─1353 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> └─1373 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>
> I just tried this ldapsearch command:
> ldapsearch -H ldap://localhost -x
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
>
> # numResponses: 1
>
>
> seems like a authentication problem.As you can see I added"ldap server
> require strong auth = no" to my smb.conf but it don't work for my
> problem :/..........Has anyone a tip for me?
>
> thanks!
>
Is there a reason why you need to use nslcd instead of winbind ?
Rowland
More information about the samba
mailing list