[Samba] Samba, AD and devices compatibility...

Marco Gaiarin gaio at sv.lnf.it
Tue Mar 13 11:17:32 UTC 2018 

I'm trying to test/move some of my LDAP-enabled devices from my actual
OpenLDAP server(s) to my new samba AD domain.

For now, i'm poking with printers, and i'm testing a Konica-Minolta
BizHub C224e.

Defining user autentication to external source, i can set (between
LDAP, NTLM, NDS, ...) 'Active Directory', and i can/must provide the
domain naime.

After that, DNS and kerberos seems to work, but actual auth no:

  1   0.000000   10.5.1.202 -> 10.5.1.25    TCP 74 51004→88 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=89369296 TSecr=0 WS=16
  2   0.000026    10.5.1.25 -> 10.5.1.202   TCP 74 88→51004 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2012173857 TSecr=89369296 WS=128
  3   0.000163   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=89369296 TSecr=2012173857
  4   0.000470   10.5.1.202 -> 10.5.1.25    KRB5 1546 TGS-REQ
  5   0.000479    10.5.1.25 -> 10.5.1.202   TCP 66 88→51004 [ACK] Seq=1 Ack=1481 Win=32000 Len=0 TSval=2012173857 TSecr=89369296
  6   0.004955    10.5.1.25 -> 10.5.1.202   KRB5 1569 TGS-REP
  7   0.005283   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1481 Ack=1449 Win=8736 Len=0 TSval=89369297 TSecr=2012173858
  8   0.005301   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1481 Ack=1504 Win=8736 Len=0 TSval=89369297 TSecr=2012173858
  9   0.005485   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [FIN, ACK] Seq=1481 Ack=1504 Win=8736 Len=0 TSval=89369297 TSecr=2012173858
 10   0.005559    10.5.1.25 -> 10.5.1.202   TCP 66 88→51004 [FIN, ACK] Seq=1504 Ack=1482 Win=32000 Len=0 TSval=2012173859 TSecr=89369297
 11   0.005700   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1482 Ack=1505 Win=8736 Len=0 TSval=89369297 TSecr=2012173859
[...]
 91 1263.249013   10.5.1.202 -> 10.5.1.25    TCP 74 40994→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=89621945 TSecr=0 WS=16
 92 1263.249030    10.5.1.25 -> 10.5.1.202   TCP 74 389→40994 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2012489669 TSecr=89621945 WS=128
 93 1263.249188   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=89621946 TSecr=2012489669
 94 1263.254227   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
 95 1263.254236    10.5.1.25 -> 10.5.1.202   TCP 66 389→40994 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=2012489671 TSecr=89621947
 96 1263.255860    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
 97 1263.256002   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=89621947 TSecr=2012489671
 98 1263.303918   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
 99 1263.304298    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
100 1263.304474   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=89621957 TSecr=2012489683
101 1263.335183   10.5.1.202 -> 10.5.1.25    LDAP 1515 bindRequest(3) "<ROOT>" sasl 
102 1263.335197    10.5.1.25 -> 10.5.1.202   TCP 66 389→40994 [ACK] Seq=168 Ack=1581 Win=31872 Len=0 TSval=2012489691 TSecr=89621963
103 1263.335947    10.5.1.25 -> 10.5.1.202   LDAP 315 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.) 
104 1263.347943   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
105 1263.348287   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [FIN, ACK] Seq=1588 Ack=417 Win=7984 Len=0 TSval=89621965 TSecr=2012489691
106 1263.348307    10.5.1.25 -> 10.5.1.202   TCP 66 389→40994 [FIN, ACK] Seq=417 Ack=1589 Win=31872 Len=0 TSval=2012489694 TSecr=89621965
107 1263.348460   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=1589 Ack=418 Win=7984 Len=0 TSval=89621965 TSecr=2012489694

This mean that the printer try to auth in LDAP 'plain' (no SSL, no
TLS), and so samba refuse that?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list