Hello,
after we upgrade our DC today to Samba-Version
4.2.11-SerNet-Ubuntu-9.trusty. We get an authentication-error wenn
Owncloud is trying to authenticat a user. The only error-message we got was:
user_ldap Bind failed: 8: Strong(er) authentication required
This is the smb.conf:
-----------------------------
[global]
workgroup = XXXXXXX
realm = XXXXXXX.INTERN
netbios name = XXX-AD01
server role = active directory domain controller
dns forwarder = XXX.XXX.XXX.XXX
wins support = yes
printing = bsd
printcap name = /etc/printcap
client ldap sasl wrapping = plain
[netlogon]
path = /var/lib/samba/sysvol/XXXXXXX.intern/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------------------------
We added this line:
client ldap sasl wrapping = plain
because we saw this thought this will help, but didn't. Has anyone a
solution?
Stefan
On 04/13/2016 10:06 PM, Stefan Kania wrote:> client ldap sasl wrapping = plain > because we saw this thought this will help, but didn't. Has anyone a > solution?Try: ldap server require strong auth = no
On 13/04/16 21:15, mj wrote:> > > On 04/13/2016 10:06 PM, Stefan Kania wrote: >> client ldap sasl wrapping = plain >> because we saw this thought this will help, but didn't. Has anyone a >> solution? > Try: > ldap server require strong auth = no >Can I suggest you do this only in the short term, I would also suggest you read the latest release notes: https://www.samba.org/samba/history/samba-4.4.2.html Paying special attention to this part: CVE-2016-2112: ........... ......... The LDAP server doesn't have an option to enforce strong authentication yet. The security patches will introduce a new option called "ldap server require strong auth", possible values are "no", "allow_sasl_over_tls" and "yes". As the default behavior was as "no" before, you may have to explicitly change this option until all clients have been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors. Windows clients and Samba member servers already use integrity protection. Rowland
On Wed, Apr 13, 2016 at 10:06:44PM +0200, Stefan Kania wrote:> Hello, > > after we upgrade our DC today to Samba-Version > 4.2.11-SerNet-Ubuntu-9.trusty. We get an authentication-error wenn > Owncloud is trying to authenticat a user. The only error-message we got was: > > user_ldap Bind failed: 8: Strong(er) authentication required > > This is the smb.conf: > ----------------------------- > [global] > workgroup = XXXXXXX > realm = XXXXXXX.INTERN > netbios name = XXX-AD01 > server role = active directory domain controller > dns forwarder = XXX.XXX.XXX.XXX > wins support = yes > printing = bsd > printcap name = /etc/printcap > client ldap sasl wrapping = plain > [netlogon] > path = /var/lib/samba/sysvol/XXXXXXX.intern/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > ----------------------------- > > We added this line: > client ldap sasl wrapping = plain > because we saw this thought this will help, but didn't. Has anyone a > solution?a simple bind over TLS would work. If your server doesn't have a trusted cert, you may have to disable cert checking on the client. Cheerio! -slow
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 13.04.2016 um 22:15 schrieb mj:> > > On 04/13/2016 10:06 PM, Stefan Kania wrote: >> client ldap sasl wrapping = plain because we saw this thought >> this will help, but didn't. Has anyone a solution? > Try: ldap server require strong auth = no >Thank's that works for us. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlcPPqAACgkQ2JOGcNAHDTbweQCggxphK7CKsoT5d/xzzxvXzXEP Mw0AnjMGEKF+RT++zPKHn+6Uq+QplCOP =6J+G -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 13.04.2016 um 22:34 schrieb Ralph Boehme:> On Wed, Apr 13, 2016 at 10:06:44PM +0200, Stefan Kania wrote: >> Hello, >> >> after we upgrade our DC today to Samba-Version >> 4.2.11-SerNet-Ubuntu-9.trusty. We get an authentication-error >> wenn Owncloud is trying to authenticat a user. The only >> error-message we got was: >> >> user_ldap Bind failed: 8: Strong(er) authentication required >> >> This is the smb.conf: ----------------------------- [global] >> workgroup = XXXXXXX realm = XXXXXXX.INTERN netbios name >> XXX-AD01 server role = active directory domain controller dns >> forwarder = XXX.XXX.XXX.XXX wins support = yes printing = bsd >> printcap name = /etc/printcap client ldap sasl wrapping = plain >> [netlogon] path = /var/lib/samba/sysvol/XXXXXXX.intern/scripts >> read only = No >> >> [sysvol] path = /var/lib/samba/sysvol read only = No >> ----------------------------- >> >> We added this line: client ldap sasl wrapping = plain because we >> saw this thought this will help, but didn't. Has anyone a >> solution? > > a simple bind over TLS would work. If your server doesn't have a > trusted cert, you may have to disable cert checking on the client. > > Cheerio! -slow >Hi Ralph, we will try this. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlcPPtgACgkQ2JOGcNAHDTblZwCgsNv4nk4P3RcDSMV50/MMEr8K M9AAn2st93J2SHUGl7EyRBYDpH07fW3m =5Ae4 -----END PGP SIGNATURE-----