[Samba] LDAP query to Samba AD DC
Yang Yang
yy8402 at icloud.com
Fri Dec 16 07:04:26 UTC 2022
I managed to have Apache Directory Studio working by disabling TLSv1.3 along with TLS connection on port 636 and bind with Administrator.
Does Samba AD DC does not support readonly queries on port 389? If it actually can, how should I enable it?
Thanks,
Yang
> On Dec 16, 2022, at 13:37, Yang Yang <yy8402 at icloud.com> wrote:
>
> Thank you very much, Nicolas!
>
> I have been working with the following settings, with user “yang” in “OU=Workspace,DC=supra,DC=local”.
>
> I tried ldapsearch, but got no luck to make it work, and I also tried with Apache Directory Studio, with which I did successfully connect to port 389 but could not get to the base DN, with the screenshot attached.
>
> Is there anything I need to “publish” the user for LDAP queries?
>
> -----------------------
> supra at samba155:~$ sudo systemctl stop samba-ad-dc
> supra at samba155:~$ sudo netstat -anp |grep 636
> supra at samba155:~$ sudo netstat -anp |grep 389
> supra at samba155:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> dns forwarder = 192.168.0.155
> netbios name = SAMBA155
> realm = SUPRA.LOCAL
> server role = active directory domain controller
> workgroup = SUPRA
> tls enabled = yes
> # When trying to enable tls with self-signed cert, samba failed to restart telling
> # "TLS failed to initialise certfile /etc/samba/tls/tls/ca_crt.pem and keyfile /etc/samba/tls/ca_key.pem - Error while reading file.”
> # tls keyfile = /etc/samba/tls/ca_key.pem
> # tls certfile = /etc/samba/tls/tls/ca_crt.pem
> # tls cafile =
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/supra.local/scripts
> read only = No
> supra at samba155:~$ sudo systemctl start samba-ad-dc
> supra at samba155:~$ sudo netstat -anp |grep 389
> tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 9675/samba: task[ld
> tcp6 0 0 :::389 :::* LISTEN 9675/samba: task[ld
> udp 0 0 192.168.0.155:389 0.0.0.0:* 9678/samba: task[cl
> udp 0 0 0.0.0.0:389 0.0.0.0:* 9678/samba: task[cl
> udp6 0 0 :::389 :::* 9678/samba: task[cl
> unix 2 [ ] DGRAM 683890 9709/smbd /var/lib/samba/private/msg.sock/9709
> supra at samba155:~$ sudo netstat -anp |grep 636
> tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 9675/samba: task[ld
> tcp6 0 0 :::636 :::* LISTEN 9675/samba: task[ld
> supra at samba155:~$ sudo samba-tool user show yang
> dn: CN=yang,OU=Workspace,DC=supra,DC=local
> ...
> userPrincipalName: yang at supra.local <mailto:yang at supra.local>
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=supra,DC=local
> ...
> distinguishedName: CN=yang,OU=Workspace,DC=supra,DC=local
> supra at samba155:~$ openssl s_client -showcerts -connect samba155.supra.local:636
> CONNECTED(00000003)
> ...
> Verify return code: 21 (unable to verify the first certificate)
> ---
> ^C
> supra at samba155:~$ sudo ldapsearch -H ldaps://samba155.supra.local:636 <ldaps://samba155.supra.local:636> -b 'OU=Workspace,DC=supra,DC=local'
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> additional info: (unknown error code)
> supra at samba155:~$ sudo ldapsearch -H ldap://samba155.supra.local:389 <ldap://samba155.supra.local:389> -b 'OU=Workspace,DC=supra,DC=local'
> SASL/NTLM authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1
> supra at samba155:~$ sudo ldapsearch -ZZ -H ldaps://samba155.supra.local:636 <ldaps://samba155.supra.local:636> -b 'OU=Workspace,DC=supra,DC=local'
> ldap_start_tls: Can't contact LDAP server (-1)
> additional info: (unknown error code)
> supra at samba155:~$ sudo ldapsearch -ZZ -H ldap://samba155.supra.local:389 <ldap://samba155.supra.local:389> -b 'OU=Workspace,DC=supra,DC=local'
> ldap_start_tls: Connect error (-11)
> additional info: (unknown error code)
>
> <Screen Shot 2022-12-16 at 13.17.23.png>
>
> Thanks,
> Yang
>
>> On Dec 16, 2022, at 07:09, Nicolas Canonne via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>
>>
>> Le 16/12/2022 à 02:28, Yang Yang via samba a écrit :
>>> Hello,
>>>
>>> When Samba is set up as an Active Directory Domain Controller, can it response to LDAP queries?
>>>
>>> I set up Samba as an Active Directory Domain Controller, following guide in samba wiki <https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller <https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller>> , and I can add Windows machines and login with samba users, as expected. However, when I tried LDAP query to any base DN, the answer had always been “No such object”.
>>>
>>> Does Samba as an Active Directory Domain Controller support LDAP queries? Is there something else I shall do to make it work?
>> On a DC itself that uses smb.domain.ext , I use something like :
>>
>> server at dc1:~$ sudo ldapsearch -ZZ -H ldap://dc1.smb.domain.ext:389 <ldap://dc1.smb.domain.ext:389> -b 'DC=smb,DC=domain,DC=ext' -D 'SMB\Administrator' -w 'mysecretadminpassword'
>>
>> It tells to use TLS (required)
>>
>> On Ubuntu ldapsearch is in ldap-utils, so installed via:
>>
>> server at dc1:~$ sudo apt install ldap-utils
>>
>>>
>>> If LDAP queries are not supported by Samba as an Active Directory Domain Controller, is there any solution for to have a Domain Controller that can support LDAP queries?
>>>
>>> Thanks,
>>> Yang
>>
>> Hope this helps.
>>
>> Nicolas
>>
>>
>> Electronico
>> NEW-CALEDONIA (South Pacific)
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
>
More information about the samba
mailing list