Greetings, All! I'm using Samba 3.6 and OpenLDAP currently. The core configuration has been done eons ago, and I'm not quite sure it is actual any more. I see a number of PAM-related errors every time the system boot up. One concerning me is Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials) Is this a broken PDC configuration (how can I fix it, if yes?) or I can just remove libpam-ldap since I'm using libpam-winbind anyway? -- WBR, Andrey Repin (anrdaemon at yandex.ru) 03.02.2015, <05:48> Sorry for my terrible english...
Hi, In my opinion pam_winbind will be good way to start. Please start from fresh after undoing all the changes which you have done earlier, Follow Samba Wiki for more help, <https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> --Regards Ashishkumar S. Yadav On Tue, Feb 3, 2015 at 8:24 AM, Andrey Repin <anrdaemon at yandex.ru> wrote:> Greetings, All! > > I'm using Samba 3.6 and OpenLDAP currently. > The core configuration has been done eons ago, and I'm not quite sure it is > actual any more. I see a number of PAM-related errors every time the system > boot up. One concerning me is > Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user > "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials) > Is this a broken PDC configuration (how can I fix it, if yes?) or I can > just > remove libpam-ldap since I'm using libpam-winbind anyway? > > > -- > WBR, > Andrey Repin (anrdaemon at yandex.ru) 03.02.2015, <05:48> > > Sorry for my terrible english... > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 03.02.2015 um 03:54 schrieb Andrey Repin:> Greetings, All! > > I'm using Samba 3.6 and OpenLDAP currently. > The core configuration has been done eons ago, and I'm not quite sure it is > actual any more. I see a number of PAM-related errors every time the system > boot up. One concerning me is > Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials) > Is this a broken PDC configuration (how can I fix it, if yes?) or I can just > remove libpam-ldap since I'm using libpam-winbind anyway?Despite the credential issue should not occur, traditional pam_ldap for user authentication is a very bad idea. It sends plain text passwords over network, unless you force TLS, which of course requires to set up a PKI for your net. If you do not want that and don't want to go for Kerberos, then winbind is a sensible option. However, using winbind for NSS also has its own potential to drive you nuts. ;) Concerning the error message: pam_ldap tries to bind to LDAP using the DN shown and fails. The DN is configured as something like "rootDN" in the pam_ldap config. It could be that the password is alos in the config file, but better practice is to have it in a seperate file, usually casse *.secret. The file name should in turn be configured inthe PAM configuration. The description fits more to libnss-ldap, but I recall that it was not much different for pam-ldap. Regards, - lars.
Am 03.02.2015 um 03:54 schrieb Andrey Repin:> Greetings, All! > > I'm using Samba 3.6 and OpenLDAP currently. > The core configuration has been done eons ago, and I'm not quite sure it is > actual any more. I see a number of PAM-related errors every time the system > boot up. One concerning me is > Jan 28 02:31:21 daemon1 perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=darkdragon,dc=lan" (Invalid credentials) > Is this a broken PDC configuration (how can I fix it, if yes?) or I can just > remove libpam-ldap since I'm using libpam-winbind anyway?Despite the credential issue should not occur, traditional pam_ldap for user authentication is a very bad idea. It sends plain text passwords over network, unless you force TLS, which of course requires to set up a PKI for your net. If you do not want that and don't want to go for Kerberos, then winbind is a sensible option. However, using winbind for NSS also has its own potential to drive you nuts. ;) Concerning the error message: pam_ldap tries to bind to LDAP using the DN shown and fails. The DN is configured as something like "rootDN" in the pam_ldap config. It could be that the password is alos in the config file, but better practice is to have it in a seperate file, usually casse *.secret. The file name should in turn be configured inthe PAM configuration. The description fits more to libnss-ldap, but I recall that it was not much different for pam-ldap. Regards, - lars.