Hai,

Please read :

https://www.samba.org/samba/history/
from 12 April 2016 and below that.
Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases Available for Download

What you see is correct.

And
Then set :
ldap server require strong auth = no

but please read the change logs it explains all.

Greetz,

Louis

Yep that fixed it. I found out (at the same time as the reply Guilherme arrived in my inbox)  that option was added in 4.2.10. Added to smb.conf and everything is now working again.

 
Alan
 
-----Original message-----
From:Guilherme Boing <kolt+***@frag.com.br>
Sent:Fri 08-07-2016 12:59
Subject:Re: [Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
To:Alan Hughes <***@e2eservices.co.uk>;
CC:***@lists.samba.org;

Hello Alan,
 I had the same issue and I needed to add this line:
ldap server require strong auth = no
 to smb.conf.
 Then, just restart/reload samba and it should work.

On Fri, Jul 8, 2016 at 8:37 AM, Alan Hughes <***@e2eservices.co.uk> wrote:
Last night we updated out Samba-4 AD server to version 4.2.14 usng the SERNEt packages, running on SLES 12. We have a number of services (mail services, MANTIS, etc) that access the server via the LDAP interface and in all cases we discovered that none of them where able to establish a successful LDAP connection after the upgrade.

 
Previously we used plain LDAP to access the server, i.e. we did not use SSL/TLS. However it appears that the Samba-4 server is now insisting on using SSL/TLS regardless of the settings; if I attempt to perform an LDAP query without SSL/TLS I get:

 
ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b **
ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

 
Note that this used to work prior to the upgrade.

 
Attempting to access via TLS:

 
ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z
ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

 
Attempting to access via SSL:

 
ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b **
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

 
Note that we have not installed any certificates since we are not wanting to use encrypted connections at the moment.

 
Setting "enable tls = no" in "smb.conf" does not work - we see the same as above.

 
Does anyone have any ideas? I'm stuck on this.

 
Further information (just in case someone thinks it might be useful - the global section from our "smb.conf" file:

 
[global]
        workgroup = E2E
        realm = AD.CORPORATE.E2E
        netbios name = JANUS
        server role = active directory domain controller
        server services = -dns, -dnsupdate, -winbind, +winbindd
        dns forwarder = 217.13.128.17
        idmap_ldb:use rfc2307 = yes
        idmap config E2E:backend = ad
        idmap config E2E:schema_mode = rfc2307
        idmap config E2E:range = 10000-40000
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999
        winbind nss info = rfc2307
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork

 
Port status:

 
tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN      12317/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      12317/samba
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      12323/samba
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      12323/samba
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      12321/samba
tcp        0      0 :::1024                 :::*                    LISTEN      12317/samba
tcp        0      0 :::3268                 :::*                    LISTEN      12321/samba
tcp        0      0 :::3269                 :::*                    LISTEN      12321/samba
tcp        0      0 :::389                  :::*                    LISTEN      12321/samba
tcp        0      0 :::135                  :::*                    LISTEN      12317/samba
tcp        0      0 :::464                  :::*                    LISTEN      12323/samba
tcp        0      0 :::88                   :::*                    LISTEN      12323/samba
tcp        0      0 :::636                  :::*                    LISTEN      12321/samba
 
Thanks in advance.

 
Alan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba