Hi All,
I'm setting up a Samba AD domain which works perfectly with the WIn 7
server tools and so far everything is going fine. What has me stumped
is setting up an LDAP proxy in our DMZ against which I can authenticate
our email and web services.
I've got port 389 open on my main Samba 4 DC and if I use the domain
administrator account to bind the proxy, everything works. In order to
give a degree of separation however, I've created a user called
ldapbindacc and have used the server remote admin tools to delegate
control of the directory server to that user with read only access to
user and group details. When I try to access the directory using this
account, I get the following error message (the password is definitely
correct):
# ldapsearch -LLL -H ldap://127.0.0.1 -b
'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D
'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W
'(sAMAccountName=Test.User)'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been
patching things together from various howto's. Has anyone succeeded in
this who can give me some tips.
Thanks,
Julian
--
Borden Grammar School,
Avenue of Remembrance,
Sittingbourne,
Kent,
ME10 4DB.
Tel: 01795 424192
****************************************************************************
This e-mail is from Borden Grammar School Trust.
This e-mail, together with any files transmitted with it, are confidential, and
are intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorised dissemination or
copying of this e-mail or its attachments, and any use or disclosure of any
information contained in them, is strictly prohibited, and may also be illegal.
If you are not the intended recipient you must not use, disclose,
distribute, copy, print or relay this e-mail.
Please note that any views expressed by an individual within this e-mail, do not
necessarily reflect the views of the Borden Grammar School Trust. Borden Grammar
School Trust has taken reasonable precautions to ensure no
viruses are present in this e-mail, the Academy cannot accept responsibility for
any loss or damage arising from the use of this e-mail and/or files attached.
Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne,
Kent, ME10 4DB
Registered in England: 07827591
On Thu, 2013-08-08 at 17:14 +0100, Julian Pilfold-Bagwell wrote:> Hi All, > > I'm setting up a Samba AD domain which works perfectly with the WIn 7 > server tools and so far everything is going fine. What has me stumped > is setting up an LDAP proxy in our DMZ against which I can authenticate > our email and web services. > > I've got port 389 open on my main Samba 4 DC and if I use the domain > administrator account to bind the proxy, everything works. In order to > give a degree of separation however, I've created a user called > ldapbindacc and have used the server remote admin tools to delegate > control of the directory server to that user with read only access to > user and group details. When I try to access the directory using this > account, I get the following error message (the password is definitely > correct): > > # ldapsearch -LLL -H ldap://127.0.0.1 -b > 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D > 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W > '(sAMAccountName=Test.User)' > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE > > As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been > patching things together from various howto's. Has anyone succeeded in > this who can give me some tips.Try just setting the DN as ldapbindacc at bordengrammer.kent.sch.uk (AD allows these kind of DNs for binds). Otherwise, just turn up the logging on the Samba side and see what it says. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz
Hello Julian, Am 08.08.2013 18:14, schrieb Julian Pilfold-Bagwell:> I'm setting up a Samba AD domain which works perfectly with the WIn 7 > server tools and so far everything is going fine. What has me stumped > is setting up an LDAP proxy in our DMZ against which I can authenticate > our email and web services. > > I've got port 389 open on my main Samba 4 DC and if I use the domain > administrator account to bind the proxy, everything works. In order to > give a degree of separation however, I've created a user called > ldapbindacc and have used the server remote admin tools to delegate > control of the directory server to that user with read only access to > user and group details. When I try to access the directory using this > account, I get the following error message (the password is definitely > correct): > > # ldapsearch -LLL -H ldap://127.0.0.1 -b > 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D > 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W > '(sAMAccountName=Test.User)' > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE > > As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been > patching things together from various howto's. Has anyone succeeded in > this who can give me some tips.Here I described how to setup an openLDAP proxy to AD: http://wiki.samba.org/index.php/Authenticating_other_services_against_AD (incl. authenticating other ldap based services) Regards, Marc