[Samba] LDAP authentication not working

Rowland Penny rpenny at samba.org
Tue Jul 11 09:37:09 UTC 2017 

On Mon, 10 Jul 2017 23:18:28 -0700 (PDT)
Bartra1212 via samba <samba at lists.samba.org> wrote:

> Hi everyone!
> 
> I just upgraded my Samba PDC to a active directory (I followed the
> migration instruction of samba-wiki). Without any error message or
> something. *happy*
> 
> My PDC was running with a bind9 and slapd->openLDAP. I just turned
> both services off and want to use the samba-internal ones.
> 
> My problem now is that I can't login with my domain members (just
> tried it on my server -> debian stretch).here my details:
> 
> *smb.com*
> [global]
>         workgroup = EXAMPLE
>         realm = example.com
>         netbios name = PDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 8.8.8.8
>         interfaces = br0
>         ldap server require strong auth = no
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> *krb5.conf*
> [libdefaults]
>         default_realm = EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> */etc/hosts*
> 127.0.0.1       localhost
> 192.168.0.2    hk-server-01.example.com hk-server-01
> 
> */etc/hostname*
> hk-server-01
> 
> */etc/resolv.conf*
> search example.com
> nameserver 192.168.0.1
> 
> */etc/named.conf*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> */etc/named.conf.local*
> include "/var/lib/samba/private/named.conf";
> 
> */etc/named.conf.options*
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>         notify no;
>         empty-zones-enable no;
>         allow-query { 127.0.0.1; 192.168.0.0/24; };
>         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>         forwarders { 8.8.8.8; };
>         allow-transfer { none; };
>         dnssec-validation no;
>         dnssec-enable no;
> 
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.2; 127.0.0.1; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> */etc/named.conf.default-zones*
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
> 
> */etc/nsswitch.conf*
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap
> networks:       files ldap
> 
> protocols:      db files ldap
> services:       db files ldap
> ethers:         db files ldap
> rpc:            db files ldap
> 
> netgroup:       nis ldap
> aliases:        ldap
> 
> */etc/nslcd.conf*
> uid nslcd
> gid nslcd
> uri ldap://127.0.0.1/
> base dc=example,dc=com
> pagesize 1000
> referrals off
> ldap_version 3
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
> 
> 
> 
> I tried
> 
> The samba service is running but with a warning:
> ● samba-ad-dc.service - Samba AD Daemon
>    Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
>    Active: active (running) since Mon 2017-07-10 12:12:06 CEST; 3h
> 11min ago Docs: man:samba(8)
>            man:samba(7)
>            man:smb.conf(5)
>  Main PID: 1247 (samba)
>    Status: "smbd: ready to serve connections..."
>    Memory: 202.4M
>       CPU: 46.634s
>    CGroup: /system.slice/samba-ad-dc.service
>            ├─1247 /usr/sbin/samba
>            ├─1299 /usr/sbin/samba
>            ├─1300 /usr/sbin/samba
>            ├─1301 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1302 /usr/sbin/samba
>            ├─1303 /usr/sbin/samba
>            ├─1304 /usr/sbin/samba
>            ├─1305 /usr/sbin/samba
>            ├─1306 /usr/sbin/samba
>            ├─1307 /usr/sbin/samba
>            ├─1308 /usr/sbin/samba
>            ├─1309 /usr/sbin/samba
>            ├─1310 /usr/sbin/samba
>            ├─1311 /usr/sbin/samba
>            ├─1312 /usr/sbin/samba
>            ├─1313 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1345 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1346 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1353 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            └─1373 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> 
> I just tried this ldapsearch command:
> ldapsearch -H ldap://localhost -x
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
> 
> # numResponses: 1
> 
> 
> seems like a authentication problem.As you can see I added"ldap server
> require strong auth = no" to my smb.conf but it don't work for my
> problem :/..........Has anyone a tip for me?
> 
> thanks! 
> 

Is there a reason why you need to use nslcd instead of winbind ?

Rowland

More information about the samba mailing list