Dr. Alberto Benati
2008-Sep-09 20:58 UTC
[Samba] Failed to retrieve password from secrets.tdb with anonymous bind
Samba 3.2.1 on linux OpenFiler 2.3
I have an external LDAP server with anonymous bind and pam
ProFtpd linked to LDAP server works well without error
But samba does not work, in smbd.log I have:
[2008/09/09 22:01:54, 0] passdb/secrets.c:fetch_ldap_pw(888)
fetch_ldap_pw: neither ldap secret retrieved!
[2008/09/09 22:01:54, 0] lib/smbldap.c:smbldap_connect_system(952)
ldap_connect_system: Failed to retrieve password from secrets.tdb
[2008/09/09 22:01:54, 1] lib/smbldap.c:another_ldap_try(1178)
Connection to LDAP server failed for the 1 try!
.........................
Part of smb.conf:
ldap ssl = no
ldap suffix = ou=People,dc=unizz,dc=it
encrypt passwords = yes
security = user
passdb backend = ldapsam:ldap://ldap.unizz.it
ldap user suffix = ou=People
pam password change = no
I tried to add password in secrets.tdb, but:
[root@backup2 samba]# smbpasswd -w ""
ERROR: 'ldap admin dn' not defined! Please check your smb.conf
I then added in smb.conf a fake:
ldap admin dn = ou=People,dc=unizz,dc=it
[root@backup2 samba]# tdbdump /etc/samba/secrets.tdb
{
key(19) = "SECRETS/SID/BACKUP2"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00A,\EB\C1\E5\5C/(\E7\DDl
\A7\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(45) = "SECRETS/LDAP_BIND_PW/ou=People,dc=unizz,dc=it"
data(1) = "\00"
now without the row I have always same prev error
and with the row ldap admin dn = ou=People,dc=unizz,dc=it I have now:
[2008/09/09 22:15:13, 0] lib/smbldap.c:smbldap_connect_system(992)
failed to bind to server ldap://ldap.unizz.it with
dn="ou=People,dc=unizz,dc=it" Error: Server is unwilling to perform
unwilling to allow anonymous bind with non-empty DN
[2008/09/09 22:15:13, 1] lib/smbldap.c:another_ldap_try(1178)
Connection to LDAP server failed for the 1 try!
..................
rightly, but I can not go out from this situation.
Any suggestion?
Thank you
Alby
Iarly Selbir
2008-Sep-09 22:09 UTC
[Samba] Failed to retrieve password from secrets.tdb with anonymous bind
Try run: root# smbpasswd -w ldap_password and restart the samba Reggars, Iarly Selbir 2008/9/9 Dr. Alberto Benati <benati@economia.unife.it>> Samba 3.2.1 on linux OpenFiler 2.3 > > I have an external LDAP server with anonymous bind and pam > ProFtpd linked to LDAP server works well without error > > > But samba does not work, in smbd.log I have: > [2008/09/09 22:01:54, 0] passdb/secrets.c:fetch_ldap_pw(888) > fetch_ldap_pw: neither ldap secret retrieved! > [2008/09/09 22:01:54, 0] lib/smbldap.c:smbldap_connect_system(952) > ldap_connect_system: Failed to retrieve password from secrets.tdb > [2008/09/09 22:01:54, 1] lib/smbldap.c:another_ldap_try(1178) > Connection to LDAP server failed for the 1 try! > ......................... > > > Part of smb.conf: > ldap ssl = no > ldap suffix = ou=People,dc=unizz,dc=it > encrypt passwords = yes > security = user > passdb backend = ldapsam:ldap://ldap.unizz.it > ldap user suffix = ou=People > pam password change = no > > > I tried to add password in secrets.tdb, but: > [root@backup2 samba]# smbpasswd -w "" > ERROR: 'ldap admin dn' not defined! Please check your smb.conf > > I then added in smb.conf a fake: > ldap admin dn = ou=People,dc=unizz,dc=it > > [root@backup2 samba]# tdbdump /etc/samba/secrets.tdb > { > key(19) = "SECRETS/SID/BACKUP2" > data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00A,\EB\C1\E5\5C/(\E7\DDl > > \A7\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" > } > { > key(45) = "SECRETS/LDAP_BIND_PW/ou=People,dc=unizz,dc=it" > data(1) = "\00" > > > now without the row I have always same prev error > and with the row ldap admin dn = ou=People,dc=unizz,dc=it I have now: > [2008/09/09 22:15:13, 0] lib/smbldap.c:smbldap_connect_system(992) > failed to bind to server ldap://ldap.unizz.it with > dn="ou=People,dc=unizz,dc=it" Error: Server is unwilling to perform > unwilling to allow anonymous bind with non-empty DN > [2008/09/09 22:15:13, 1] lib/smbldap.c:another_ldap_try(1178) > Connection to LDAP server failed for the 1 try! > .................. > > rightly, but I can not go out from this situation. > Any suggestion? > > Thank you > Alby > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
Richard Foltyn
2008-Sep-10 06:48 UTC
[Samba] Failed to retrieve password from secrets.tdb with anonymous bind
Why don't you just *create* a dedicated samba DN in LDAP which Samba can use? This is a much more secure setup than granting read or even write access to passwords to unauthenticated external connections. The official smbldap-tools HOWTO even suggests how to do this: 1) Create an LDAP entry which might look like this: dn : cn=samba , ou=DSA, dc=IDEALX, dc=ORG objectclass : organizationalRole objectClass : top objectClass : simpleSecurityObject userPassword : sambasecretpwd cn : samba 2) Set the password: ldappasswd -x -h localhost -D "cn=Manager,dc=IDEALX,dc=ORG" -s sambasecretpwd \ -W cn=samba,ou=DSA,dc=IDEALX,dc=ORG 3) Set you ldap admin dn in smb.conf 4) Set the samba password with smbpasswd Done. (See the HOWTO for details: http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/ )