[Samba] Authenticating against Samba 4 AD LDAP service

Konstantin Boyandin lists at boyandin.info
Thu Sep 6 05:47:02 UTC 2018


Rowland Penny via samba писал 2018-09-05 16:10:
> On Wed, 05 Sep 2018 15:46:04 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>> 
>> One of Samba 3 -> Samba 4 migration task I am solving is changing
>> authentication against new Samba 4 AD domain.
>> 
>> Existing services use LDAP directory of Samba 3 to authenticate. The
>> simplest way to go would be just to replace LDAP credentials;
>> however, I don't quite understand which LDAP credentials to use/how
>> to create them for Samba 4 AD.
>> 
>> Sample command against Samba 4 LDAP service:
>> 
>> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H
>> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
>> returns
>> ldap_bind: Strong(er) authentication required (8)
>> 	additional info: BindSimple: Transport encryption required.
>> 
>> I would appreciate a link to possible source of wisdom, or
>> explanations in here.
>> 
>> Note: I can do searches using Kerberos authentication on Samba 4
>> installation, like this:
>> 
>> # kinit administrator
>> # ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'
>> 
>> but Kerberos is not an option for some existing services.
>> 
>> Sincerely,
>> Konstantin
>> 
> 
> Try this:
> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
> 
> NOTE, you can (and probably should) replace '10.100.0.4' with the DC's
> short hostname.

That works, thank you, with actual domain name in LDAP URL.

> However, are you sure you cannot use kerberos ?
> What are your existing services ?

to name most important ones:

- Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
- Shell (SSH) server (same, using nslcd)
- Apache 2.* LDAP authentication module
- Atlassian Confluence
- GitLab

Sincerely,
Konstantin



More information about the samba mailing list