[Samba] Samba v3 works with LDAP, but not Samba v4

Michal Michal67M at seznam.cz
Tue Oct 16 19:24:11 UTC 2018 

I can not see any ldap call, did you try to tcpdump for ldap packets?

Michal

Ășt 16. 10. 2018 v 21:14 odesĂ­latel Emil Henry via samba <
samba at lists.samba.org> napsal:

> Hello!
>
> We have Samba v3 (3.5.10) working against an LDAP server, and need to
> upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple
> configs of the smb.conf (including the old config) without success. Cleaned
> up smb.conf is below. Also, included is the output of a smbclient command
> on the SMBServer with debug option 10. Hoping that someone can point me in
> the right direction.
>
> Thanks
>
> [global]
>         security = user
>         ldap user suffix = ou=people
>         ldap group suffix = ou=groups
>         ldap ssl = off
>         ldap passwd sync = yes
>         ldap delete dn = no
>         workgroup = WORKGROUP
>         server string = "Samba Drives"
>         netbios name = SMBServer
>         log file = /var/log/samba/log.%m
>
> # For debugging enable the log level of 5
>         log level = 5
>         max log size = 50
>
> # LDAP Settings
>         ldap suffix = "o=EXAMPLE"
>         ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE"
>         passdb backend = ldapsam:ldap://ldapserver.example.com
>
> [homes]
>         valid users = %S
>         read only = No
>         writeable = yes
>         browseable = no
>         create mask = 0600
>         public = No
>         comment = %u's Z-Drive
>         nt acl support = no
>         inherit permissions = no
>         hide dot files = yes
>         directory mask = 0700
>         force create mode = 0700
>         valid users = MYDOMAIN\%S
>
>
> --------------------------------------------------------------------------------------------------
> [root at SMBServer samba]# smbclient //localhost/share -U johndoe -d 10
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
>   auth_audit: 10
>   auth_json_audit: 10
>   kerberos: 10
>   drs_repl: 10
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>   all: 10
>   tdb: 10
>   printdrivers: 10
>   lanman: 10
>   smb: 10
>   rpc_parse: 10
>   rpc_srv: 10
>   rpc_cli: 10
>   passdb: 10
>   sam: 10
>   auth: 10
>   winbind: 10
>   vfs: 10
>   idmap: 10
>   quota: 10
>   acls: 10
>   locking: 10
>   msdfs: 10
>   dmapi: 10
>   registry: 10
>   scavenger: 10
>   dns: 10
>   ldb: 10
>   tevent: 10
>   auth_audit: 10
>   auth_json_audit: 10
>   kerberos: 10
>   drs_repl: 10
> Processing section "[global]"
> doing parameter security = user
> doing parameter ldap user suffix = ou=people
> doing parameter ldap group suffix = ou=groups
> doing parameter ldap ssl = off
> doing parameter ldap passwd sync = yes
> doing parameter ldap delete dn = no
> doing parameter workgroup = WORKGROUP
> doing parameter server string = "A Drives"
> doing parameter netbios name = SMBServer
> doing parameter log file = /var/log/samba/log.%m
> doing parameter log level = 5
> doing parameter max log size = 50
> doing parameter ldap suffix = "o=EXAMPLE"
> doing parameter ldap admin dn = "cn=cecs,ou=Proxies,ou=Auth,o=EXAMPLE"
> doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface enp7s0f1 ip=192.168.2.192 bcast=192.168.2.255
> netmask=255.255.255.0
> added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="SMBServer"
> Client started (version 4.7.1).
> Opening cache file at /var/lib/samba/gencache.tdb
> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
> Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31
> 04:00:00 PM 1969 PST] (-1539716622 seconds in the past)
> sitename_fetch: No stored sitename for realm ''
> internal_resolve_name: looking up localhost#20 (sitename (null))
> name localhost#20 found.
> remove_duplicate_addrs2: looking for duplicate address/port pairs
> Connecting to 127.0.0.1 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 2626560
>         SO_RCVBUF = 1061296
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
>  negotiated dialect[SMB3_11] against server[localhost]
> got OID=1.3.6.1.4.1.311.2.2.10
> Enter EXAMPLE.COM\johndoe's password:
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
>      negotiate: struct NEGOTIATE_MESSAGE
>         Signature                : 'NTLMSSP'
>         MessageType              : NtLmNegotiate (1)
>         NegotiateFlags           : 0x62088215 (1644724757)
>                1: NTLMSSP_NEGOTIATE_UNICODE
>                0: NTLMSSP_NEGOTIATE_OEM
>                1: NTLMSSP_REQUEST_TARGET
>                1: NTLMSSP_NEGOTIATE_SIGN
>                0: NTLMSSP_NEGOTIATE_SEAL
>                0: NTLMSSP_NEGOTIATE_DATAGRAM
>                0: NTLMSSP_NEGOTIATE_LM_KEY
>                0: NTLMSSP_NEGOTIATE_NETWARE
>                1: NTLMSSP_NEGOTIATE_NTLM
>                0: NTLMSSP_NEGOTIATE_NT_ONLY
>                0: NTLMSSP_ANONYMOUS
>                0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
>                0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
>                0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
>                1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>                0: NTLMSSP_TARGET_TYPE_DOMAIN
>                0: NTLMSSP_TARGET_TYPE_SERVER
>                0: NTLMSSP_TARGET_TYPE_SHARE
>                1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>                0: NTLMSSP_NEGOTIATE_IDENTIFY
>                0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
>                0: NTLMSSP_NEGOTIATE_TARGET_INFO
>                1: NTLMSSP_NEGOTIATE_VERSION
>                1: NTLMSSP_NEGOTIATE_128
>                1: NTLMSSP_NEGOTIATE_KEY_EXCH
>                0: NTLMSSP_NEGOTIATE_56
>         DomainNameLen            : 0x0000 (0)
>         DomainNameMaxLen         : 0x0000 (0)
>         DomainName               : *
>             DomainName               : ''
>         WorkstationLen           : 0x0000 (0)
>         WorkstationMaxLen        : 0x0000 (0)
>         Workstation              : *
>             Workstation              : ''
>         Version: struct ntlmssp_VERSION
>             ProductMajorVersion      : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
>             ProductMinorVersion      : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
>             ProductBuild             : 0x0000 (0)
>             Reserved: ARRAY(3)
>                 [0]                      : 0x00 (0)
>                 [1]                      : 0x00 (0)
>                 [2]                      : 0x00 (0)
>             NTLMRevisionCurrent      : NTLMSSP_REVISION_W2K3 (15)
> Got challenge flags:
> Got NTLMSSP neg_flags=0x628a8215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_TARGET_TYPE_SERVER
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_TARGET_INFO
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> short string '', sent with NULL termination despite NOTERM flag in IDL
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: The attempted logon is invalid. This is either due to
> a bad username or authentication information.
> session setup failed: NT_STATUS_LOGON_FAILURE
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list