I've googled and I believe that SASL method DIGEST-MD5 is supported and I see it in the samba startup, but it doesn't work. ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Operations error (1) additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER [root at dc03 ~]# samba -i -M single -d3 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf samba version 4.2.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2014 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered [...] Failed to start GENSEC SASL[DIGEST-MD5] server code: NT_STATUS_INVALID_PARAMETER I'm using samba 4.2.0 compiled from source using standard configuration options. Is there something I'm missing e.g. build dependency, runtime dependency, build option or configuration? Thanks, Arthur
I tried installing cyrus-sasl-md5.x86_64 and restarting samba4 to no effect. ldapsearch -h dc03.mediture.dom -p 389 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM On 07/07/2015 03:10 PM, Arthur Ramsey wrote:> I've googled and I believe that SASL method DIGEST-MD5 is supported > and I see it in the samba startup, but it doesn't work. > > ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom > SASL/DIGEST-MD5 authentication started > ldap_sasl_interactive_bind_s: Operations error (1) > additional info: SASL:[DIGEST-MD5]: Failed to start authentication > backend: NT_STATUS_INVALID_PARAMETER > > [root at dc03 ~]# samba -i -M single -d3 > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf > samba version 4.2.0 started. > Copyright Andrew Tridgell and the Samba Team 1992-2014 > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'sasl-DIGEST-MD5' registered > [...] > Failed to start GENSEC SASL[DIGEST-MD5] server code: > NT_STATUS_INVALID_PARAMETER > > I'm using samba 4.2.0 compiled from source using standard > configuration options. Is there something I'm missing e.g. build > dependency, runtime dependency, build option or configuration? > > Thanks, > Arthur-- Arthur Ramsey Systems Administrator Mediture arthur_ramsey at mediture.com 952.400.0323 This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.
On Tue, 2015-07-07 at 15:10 -0500, Arthur Ramsey wrote:> I've googled and I believe that SASL method DIGEST-MD5 is supported and > I see it in the samba startup, but it doesn't work. > > ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom > SASL/DIGEST-MD5 authentication started > ldap_sasl_interactive_bind_s: Operations error (1) > additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER > > [root at dc03 ~]# samba -i -M single -d3 > lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf > samba version 4.2.0 started. > Copyright Andrew Tridgell and the Samba Team 1992-2014 > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'sasl-DIGEST-MD5' registered > [...] > Failed to start GENSEC SASL[DIGEST-MD5] server code: NT_STATUS_INVALID_PARAMETER > > I'm using samba 4.2.0 compiled from source using standard configuration > options. Is there something I'm missing e.g. build dependency, runtime > dependency, build option or configuration?I'm sorry for the confusion. For Samba 4.3 DIGEST-MD5 has been removed, it never worked as a client or as server. You will need to use NTLM or Kerberos. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
That's too bad, I was trying to get the Vasco Identikey server working with samba4 as a backend for FIPS 140-2 compliant OTP, which will only bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to the domain as a domain controller. Thanks for clarifying, Arthur On 07/10/2015 04:38 AM, Andrew Bartlett wrote:> On Tue, 2015-07-07 at 15:10 -0500, Arthur Ramsey wrote: >> I've googled and I believe that SASL method DIGEST-MD5 is supported and >> I see it in the samba startup, but it doesn't work. >> >> ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom >> SASL/DIGEST-MD5 authentication started >> ldap_sasl_interactive_bind_s: Operations error (1) >> additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER >> >> [root at dc03 ~]# samba -i -M single -d3 >> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >> samba version 4.2.0 started. >> Copyright Andrew Tridgell and the Samba Team 1992-2014 >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'sasl-DIGEST-MD5' registered >> [...] >> Failed to start GENSEC SASL[DIGEST-MD5] server code: NT_STATUS_INVALID_PARAMETER >> >> I'm using samba 4.2.0 compiled from source using standard configuration >> options. Is there something I'm missing e.g. build dependency, runtime >> dependency, build option or configuration? > I'm sorry for the confusion. For Samba 4.3 DIGEST-MD5 has been removed, > it never worked as a client or as server. You will need to use NTLM or > Kerberos. > > Andrew Bartlett >