Discussion:
[Samba] Samba43 on FreeBDS10.3 ldap db contents
James B. Byrne
2016-07-06 20:27:02 UTC
Permalink
I am working through the book _Implementing Samba 4_ and revalidating
my existing install. I am at the point where I need to check the
contents of the ldap database. The instructions in the book say to do
this:

ldapsearch -x -h localhost -s base - \
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
-W

Which produces this output:

# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: -
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
-W
#

#
dn:

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Which I take to be a success given the result. But this does not ask
for the Password as I expected. Moving the -W switch to before the
subject name results in a password prompt but entering the
Administrator password fails authentication:

ldapsearch -vv -x -h localhost -s base -W -
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
ldap_initialize( ldap://localhost )
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE


What am I doing wrong? I am trying all this as the root user. There
is no Administrator user in /etc/passwd. Are the credentials being
requested those for the root user or for the Administrator user?
Neither work. Why is it succeeding when no password is requested? If
I do a klist then this is the result:

klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ***@DOMAIN-02.HARTE-LYNE.CA

Issued Expires Principal
Jul 6 15:11:53 2016 Jul 7 01:11:53 2016
krbtgt/DOMAIN-02.HARTE-***@DOMAIN-02.HARTE-LYNE.CA


is this where ldap is getting its authentication?

I request your indulgence with respect to these questions. It has been
about 15 years since I last set up an AD-DC and I have zero previous
experience with Samba.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne mailto:***@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-06 22:01:13 UTC
Permalink
Post by James B. Byrne
I am working through the book _Implementing Samba 4_ and revalidating
my existing install. I am at the point where I need to check the
contents of the ldap database. The instructions in the book say to do
ldapsearch -x -h localhost -s base - \
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
-W
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: -
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
-W
#
#
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Which I take to be a success given the result. But this does not ask
for the Password as I expected. Moving the -W switch to before the
subject name results in a password prompt but entering the
ldapsearch -vv -x -h localhost -s base -W -
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
ldap_initialize( ldap://localhost )
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
What am I doing wrong? I am trying all this as the root user. There
is no Administrator user in /etc/passwd. Are the credentials being
requested those for the root user or for the Administrator user?
Neither work. Why is it succeeding when no password is requested? If
klist
Credentials cache: FILE:/tmp/krb5cc_0
Issued Expires Principal
Jul 6 15:11:53 2016 Jul 7 01:11:53 2016
is this where ldap is getting its authentication?
I request your indulgence with respect to these questions. It has been
about 15 years since I last set up an AD-DC and I have zero previous
experience with Samba.
If you want to stick with ldap-tools instead of ldb-tools you have a few
options.

1. Use TLS and the samba CA Cert.

Add

TLS_CACERT /var/lib/samba/private/tls/ca.pem

To /etc/ldap/lkdap.conf, the path to the file may be different on your
machine.

If the Cert is expired and you do not want to renew it you may also use

TLS_REQCERT allow

Instead.
Now add the -Z option to yout ldapsearch parameters and the query should
succeed.

2. Use GSSAPI

Add

SASL_MECH gssapi

to /etc/ldap/ldap.conf

Run kinit Administrator
Afterwards ldapsearch works without -W -x (-Z).

3. Allow simple binds (unsecure)

Add

ldap server require strong auth = no

to smb.conf, restart samba and your querys should work unmodified.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...