samba - Apr 2016 - Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2

Hello,

     After upgrading all external services will no longer authenticate 
to the domain. One of those is osTicket. Looking through the release 
notes I figured this would happen. However I'm a bit tentative to make 
changes to my smb.conf without doing damage and asking for help from the 
list. I have 6 DC's. One holds all the FMSO roles. This is the smb.conf 
from that DC.

[global]
         workgroup = DOMAIN
         realm = DOMAIN.LOCAL
         netbios name = PFDC1
         server role = active directory domain controller
         dns forwarder = 8.8.8.8
         idmap_ldb:use rfc2307 = Yes

         log level = 0
         logging = syslog at 1 file
         debug uid = Yes
         debug pid = Yes

         allow dns updates = nonsecure

         load printers = No
         printcap name = /dev/null
         disable spoolss = Yes

         # Add and Update TLS Key
         tls enabled = yes
         tls keyfile = tls/sambaKey.pem
         tls certfile = tls/sambaCert.pem
         tls cafile 

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No


The only difference this DC has in it's smb.conf from the others is the 
TLS key section. I needed to create a custom self-signed certificate for 
another service that required a stronger key. 2048 bit. Not sure if this 
has any bearing on my issue. I think my issue has to do with the the 
following value

'ldap server require strong auth = yes'

Is this where I should be looking? For reference this is how I setup 
osTicket parameters for external ldap authentication.

http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/

Dc's are all Ubuntu 12.04. Installed Samba from tar and the following 
commands.

./configure
make
make install

Installation went fine without error. Thanks.

-- 
-James

On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote:
> Hello,
>
>     After upgrading all external services will no longer authenticate 
> to the domain. One of those is osTicket. Looking through the release 
> notes I figured this would happen. However I'm a bit tentative to make 
> changes to my smb.conf without doing damage and asking for help from 
> the list. I have 6 DC's. One holds all the FMSO roles. This is the 
> smb.conf from that DC.
>
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN.LOCAL
>         netbios name = PFDC1
>         server role = active directory domain controller
>         dns forwarder = 8.8.8.8
>         idmap_ldb:use rfc2307 = Yes
>
>         log level = 0
>         logging = syslog at 1 file
>         debug uid = Yes
>         debug pid = Yes
>
>         allow dns updates = nonsecure
>
>         load printers = No
>         printcap name = /dev/null
>         disable spoolss = Yes
>
>         # Add and Update TLS Key
>         tls enabled = yes
>         tls keyfile = tls/sambaKey.pem
>         tls certfile = tls/sambaCert.pem
>         tls cafile >
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> The only difference this DC has in it's smb.conf from the others is 
> the TLS key section. I needed to create a custom self-signed 
> certificate for another service that required a stronger key. 2048 
> bit. Not sure if this has any bearing on my issue. I think my issue 
> has to do with the the following value
>
> 'ldap server require strong auth = yes'
>
> Is this where I should be looking? For reference this is how I setup 
> osTicket parameters for external ldap authentication.
>
>
http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/
>
>
> Dc's are all Ubuntu 12.04. Installed Samba from tar and the following 
> commands.
>
> ./configure
> make
> make install
>
> Installation went fine without error. Thanks.
>
As I suspected the line

'ldap server require strong auth = yes'

does play a role. Setting this to no allowed external authentication 
again. Not with osTicket. It allowed other services I was having issues 
authenticating with. I will attempt to enable TLS on those applications 
so I can use the default behavior.






-- 
-James

On 4/13/2016 1:48 PM, lingpanda101 at gmail.com wrote:
> On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote:
>> Hello,
>>
>>     After upgrading all external services will no longer authenticate 
>> to the domain. One of those is osTicket. Looking through the release 
>> notes I figured this would happen. However I'm a bit tentative to 
>> make changes to my smb.conf without doing damage and asking for help 
>> from the list. I have 6 DC's. One holds all the FMSO roles. This is
>> the smb.conf from that DC.
>>
>> [global]
>>         workgroup = DOMAIN
>>         realm = DOMAIN.LOCAL
>>         netbios name = PFDC1
>>         server role = active directory domain controller
>>         dns forwarder = 8.8.8.8
>>         idmap_ldb:use rfc2307 = Yes
>>
>>         log level = 0
>>         logging = syslog at 1 file
>>         debug uid = Yes
>>         debug pid = Yes
>>
>>         allow dns updates = nonsecure
>>
>>         load printers = No
>>         printcap name = /dev/null
>>         disable spoolss = Yes
>>
>>         # Add and Update TLS Key
>>         tls enabled = yes
>>         tls keyfile = tls/sambaKey.pem
>>         tls certfile = tls/sambaCert.pem
>>         tls cafile >>
>>
>> [netlogon]
>>         path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>>
>> The only difference this DC has in it's smb.conf from the others is
>> the TLS key section. I needed to create a custom self-signed 
>> certificate for another service that required a stronger key. 2048 
>> bit. Not sure if this has any bearing on my issue. I think my issue 
>> has to do with the the following value
>>
>> 'ldap server require strong auth = yes'
>>
>> Is this where I should be looking? For reference this is how I setup 
>> osTicket parameters for external ldap authentication.
>>
>>
http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/
>>
>>
>> Dc's are all Ubuntu 12.04. Installed Samba from tar and the
following
>> commands.
>>
>> ./configure
>> make
>> make install
>>
>> Installation went fine without error. Thanks.
>>
> As I suspected the line
>
> 'ldap server require strong auth = yes'
>
> does play a role. Setting this to no allowed external authentication 
> again. Not with osTicket. It allowed other services I was having 
> issues authenticating with. I will attempt to enable TLS on those 
> applications so I can use the default behavior.
>
>
>
>
>
>
The issue with osTicket was I needed to add 'ldap server require strong 
auth = yes' to the second DC's smb.conf in the site. Oversight on my
part.

Can someone explain the difference between 'allow_sasl_over_tls' and 
'yes' options? More specifically 'yes', as the prior option
seems self
explanatory. Thanks.

-- 
-James