samba - Aug 2013 - How to use --simple-bind-dn in samba-tool

Hi,

I understand that using options -H and --simple-bind-dn one could run
samba-tool remotely.

But how should I specify the DN to use for simple bind? 

I tried many syntaxes:
  cn=Administrator
  cn=Administrator at domain
  domain
all with the Administrator password, but it always fail with:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <Simple Bind
Failed: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend
'ldap': (null)

Can I use the command ldapsearch (from openLdap distribution) to access
the LDAP directory maintained by Samba?

If yes, what is the syntax in term of binding?

Thakns in advance,

Olivier


--

On Wed, 2013-08-07 at 17:16 +0700, Olivier Nicole wrote:
> Hi,
> 
> I understand that using options -H and --simple-bind-dn one could run
> samba-tool remotely.
> 
> But how should I specify the DN to use for simple bind? 
> 
> I tried many syntaxes:
>   cn=Administrator
>   cn=Administrator at domain
>   domain
> all with the Administrator password, but it always fail with:
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <Simple Bind
Failed: NT_STATUS_LOGON_FAILURE> <>
> Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend
'ldap': (null)
> 
> Can I use the command ldapsearch (from openLdap distribution) to access
> the LDAP directory maintained by Samba?
> 
> If yes, what is the syntax in term of binding?
In general, you shouldn't need --simple-bind-dn, because Samba supports
much more secure ways to authenticated, such as NTLM and Kerberos.  Just
specify -U administrator

For the record, for other non-AD servers that don't do SASL and so can't
use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
be the admin DN on an OpenLDAP server.  (this applies more to the ldb*
commands that samba-tool, which probably shouldn't show this option
except it comes from common code). 

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

Thank's Andrew,

> For the record, for other non-AD servers that don't do SASL and so
can't
> use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
> be the admin DN on an OpenLDAP server.
I tried:

  samba-tool user setpassword tata --newpassword=Ghij-1919 -d 10 -H
ldap://fbsd35.cs.ait.ac.th/
--simple-bind-dn=cs=administrator,dc=cs,dc=ait,dc=ac,dc=th

But it is still giving me the same error, so I suspect the DN is not correct.

I could not find any documentation saying what the DN should be.

Best regards,

Olivier