Web lists-archives.com

Re: [Samba] Authenticating against Samba 4 AD LDAP service




Rowland Penny via samba писал 2018-09-05 16:10:
On Wed, 05 Sep 2018 15:46:04 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello,

One of Samba 3 -> Samba 4 migration task I am solving is changing
authentication against new Samba 4 AD domain.

Existing services use LDAP directory of Samba 3 to authenticate. The
simplest way to go would be just to replace LDAP credentials;
however, I don't quite understand which LDAP credentials to use/how
to create them for Samba 4 AD.

Sample command against Samba 4 LDAP service:

# ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H
ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
returns
ldap_bind: Strong(er) authentication required (8)
	additional info: BindSimple: Transport encryption required.

I would appreciate a link to possible source of wisdom, or
explanations in here.

Note: I can do searches using Kerberos authentication on Samba 4
installation, like this:

# kinit administrator
# ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'

but Kerberos is not an option for some existing services.

Sincerely,
Konstantin


Try this:
ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
-b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"

NOTE, you can (and probably should) replace '10.100.0.4' with the DC's
short hostname.

That works, thank you, with actual domain name in LDAP URL.

However, are you sure you cannot use kerberos ?
What are your existing services ?

to name most important ones:

- Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
- Shell (SSH) server (same, using nslcd)
- Apache 2.* LDAP authentication module
- Atlassian Confluence
- GitLab

Sincerely,
Konstantin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba