[Samba] Authenticating against Samba 4 AD LDAP service

Rowland Penny rpenny at samba.org
Wed Sep 5 09:10:06 UTC 2018


On Wed, 05 Sep 2018 15:46:04 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> One of Samba 3 -> Samba 4 migration task I am solving is changing 
> authentication against new Samba 4 AD domain.
> 
> Existing services use LDAP directory of Samba 3 to authenticate. The 
> simplest way to go would be just to replace LDAP credentials;
> however, I don't quite understand which LDAP credentials to use/how
> to create them for Samba 4 AD.
> 
> Sample command against Samba 4 LDAP service:
> 
> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H 
> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
> returns
> ldap_bind: Strong(er) authentication required (8)
> 	additional info: BindSimple: Transport encryption required.
> 
> I would appreciate a link to possible source of wisdom, or
> explanations in here.
> 
> Note: I can do searches using Kerberos authentication on Samba 4 
> installation, like this:
> 
> # kinit administrator
> # ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'
> 
> but Kerberos is not an option for some existing services.
> 
> Sincerely,
> Konstantin
> 

Try this:
ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
-b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"

NOTE, you can (and probably should) replace '10.100.0.4' with the DC's
short hostname.

However, are you sure you cannot use kerberos ?
What are your existing services ?

Rowland



More information about the samba mailing list