[Samba] Authenticating against Samba 4 AD LDAP service
Konstantin Boyandin
lists at boyandin.info
Thu Sep 6 05:47:02 UTC 2018
Rowland Penny via samba писал 2018-09-05 16:10:
> On Wed, 05 Sep 2018 15:46:04 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> One of Samba 3 -> Samba 4 migration task I am solving is changing
>> authentication against new Samba 4 AD domain.
>>
>> Existing services use LDAP directory of Samba 3 to authenticate. The
>> simplest way to go would be just to replace LDAP credentials;
>> however, I don't quite understand which LDAP credentials to use/how
>> to create them for Samba 4 AD.
>>
>> Sample command against Samba 4 LDAP service:
>>
>> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H
>> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
>> returns
>> ldap_bind: Strong(er) authentication required (8)
>> additional info: BindSimple: Transport encryption required.
>>
>> I would appreciate a link to possible source of wisdom, or
>> explanations in here.
>>
>> Note: I can do searches using Kerberos authentication on Samba 4
>> installation, like this:
>>
>> # kinit administrator
>> # ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'
>>
>> but Kerberos is not an option for some existing services.
>>
>> Sincerely,
>> Konstantin
>>
>
> Try this:
> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
>
> NOTE, you can (and probably should) replace '10.100.0.4' with the DC's
> short hostname.
That works, thank you, with actual domain name in LDAP URL.
> However, are you sure you cannot use kerberos ?
> What are your existing services ?
to name most important ones:
- Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
- Shell (SSH) server (same, using nslcd)
- Apache 2.* LDAP authentication module
- Atlassian Confluence
- GitLab
Sincerely,
Konstantin
More information about the samba
mailing list