Hi,
I've got ldapsearch mostly working:
root at morannon:/usr/local/samba/private/tls# ldapsearch
'(sAMAccountName=dumaresq)'
SASL/GSSAPI authentication started
SASL username: administrator at XXX
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (sAMAccountName=dumaresq)
# requesting: ALL
#
results in here...
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
I cannot get ldapsearch -Z or ldaps working:
ldapsearch '(sAMAccountName=dumaresq)' -Z
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if
TLS is used
Here is what I get in samba.log when I do did that command:
[2011/04/23 14:29:56, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56, 3]
../source4/smbd/service_stream.c:62(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2011/04/23 14:29:56, 3]
../source4/smbd/process_single.c:104(single_terminate)
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
I'm not sure where to go from here. I've tried several different
options in /etc/ldap/ldap.conf and I always get that error, unless I
comment out #TLS_REQCERT allow
then I get:
ldapsearch '(sAMAccountName=dumaresq)' -Z
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
with:
[2011/04/23 14:31:29, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:31:29, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:31:29, 1]
../source4/lib/tls/tls_tstream.c:542(tstream_tls_retry_read)
TLS ../source4/lib/tls/tls_tstream.c:542 - A record packet with
illegal version was received.
[2011/04/23 14:31:29, 3]
../source4/smbd/service_stream.c:62(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR'
[2011/04/23 14:31:29, 3]
../source4/smbd/process_single.c:104(single_terminate)
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR]
in samba.log
Neither of those are helpful, I've tried stracing, but I don't see an
errors. I believe this is a cert issue, but I'm not sure exactly what
the cert issue is.
Thanks
Andrew Dumaresq
2011-Apr-24 22:25 UTC
[Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 4/23/2011 2:34 PM, Andrew Dumaresq wrote:> Hi, > > I've got ldapsearch mostly working: > > root at morannon:/usr/local/samba/private/tls# ldapsearch > '(sAMAccountName=dumaresq)' > SASL/GSSAPI authentication started > SASL username: administrator at XXX > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <> (default) with scope subtree > # filter: (sAMAccountName=dumaresq) > # requesting: ALL > # > > results in here... > > > # search result > search: 5 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > I cannot get ldapsearch -Z or ldaps working: > > ldapsearch '(sAMAccountName=dumaresq)' -Z > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) > additional info: SASL:[GSSAPI]: Sign or Seal are not allowed > if TLS is used > > > Here is what I get in samba.log when I do did that command: > > [2011/04/23 14:29:56, 3] > ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2011/04/23 14:29:56, 3] > ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2011/04/23 14:29:56, 3] > ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2011/04/23 14:29:56, 3] > ../source4/smbd/service_stream.c:62(stream_terminate_connection) > Terminating connection - 'ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2011/04/23 14:29:56, 3] > ../source4/smbd/process_single.c:104(single_terminate) > single_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] > > > I'm not sure where to go from here. I've tried several different > options in /etc/ldap/ldap.conf and I always get that error, unless I > comment out #TLS_REQCERT allow > then I get: > > ldapsearch '(sAMAccountName=dumaresq)' -Z > ldap_start_tls: Connect error (-11) > additional info: (unknown error code) > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1 > additional info: (unknown error code) > >Update... I did get ldaps and -Z working, but I can't do it with SASL, I can't find docs that say, but is it possible that SASL (GSSAPI) and ldaps are not compatible? ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used dumaresq at morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D 'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword '(sAMAccountName=dumaresq)' # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # (response in here) # numResponses: 2 # numEntries: 1 So the question is are SASL and ldaps not compatible and if that is the case which is better? I like GSSAPI because I don't need to store passwords on the system, but I'm not clear on how encrypted the data being transmitted is. I did a packet capture and I do see some data that doesn't look like clear text, but that's all I know for sure :) Comments, suggestions?