lingpanda101 at gmail.com
2016-Apr-13 16:15 UTC
[Samba] Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2
Hello, After upgrading all external services will no longer authenticate to the domain. One of those is osTicket. Looking through the release notes I figured this would happen. However I'm a bit tentative to make changes to my smb.conf without doing damage and asking for help from the list. I have 6 DC's. One holds all the FMSO roles. This is the smb.conf from that DC. [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = PFDC1 server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = Yes log level = 0 logging = syslog at 1 file debug uid = Yes debug pid = Yes allow dns updates = nonsecure load printers = No printcap name = /dev/null disable spoolss = Yes # Add and Update TLS Key tls enabled = yes tls keyfile = tls/sambaKey.pem tls certfile = tls/sambaCert.pem tls cafile [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No The only difference this DC has in it's smb.conf from the others is the TLS key section. I needed to create a custom self-signed certificate for another service that required a stronger key. 2048 bit. Not sure if this has any bearing on my issue. I think my issue has to do with the the following value 'ldap server require strong auth = yes' Is this where I should be looking? For reference this is how I setup osTicket parameters for external ldap authentication. http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/ Dc's are all Ubuntu 12.04. Installed Samba from tar and the following commands. ./configure make make install Installation went fine without error. Thanks. -- -James
lingpanda101 at gmail.com
2016-Apr-13 17:48 UTC
[Samba] Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2
On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote:> Hello, > > After upgrading all external services will no longer authenticate > to the domain. One of those is osTicket. Looking through the release > notes I figured this would happen. However I'm a bit tentative to make > changes to my smb.conf without doing damage and asking for help from > the list. I have 6 DC's. One holds all the FMSO roles. This is the > smb.conf from that DC. > > [global] > workgroup = DOMAIN > realm = DOMAIN.LOCAL > netbios name = PFDC1 > server role = active directory domain controller > dns forwarder = 8.8.8.8 > idmap_ldb:use rfc2307 = Yes > > log level = 0 > logging = syslog at 1 file > debug uid = Yes > debug pid = Yes > > allow dns updates = nonsecure > > load printers = No > printcap name = /dev/null > disable spoolss = Yes > > # Add and Update TLS Key > tls enabled = yes > tls keyfile = tls/sambaKey.pem > tls certfile = tls/sambaCert.pem > tls cafile > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > The only difference this DC has in it's smb.conf from the others is > the TLS key section. I needed to create a custom self-signed > certificate for another service that required a stronger key. 2048 > bit. Not sure if this has any bearing on my issue. I think my issue > has to do with the the following value > > 'ldap server require strong auth = yes' > > Is this where I should be looking? For reference this is how I setup > osTicket parameters for external ldap authentication. > > http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/ > > > Dc's are all Ubuntu 12.04. Installed Samba from tar and the following > commands. > > ./configure > make > make install > > Installation went fine without error. Thanks. >As I suspected the line 'ldap server require strong auth = yes' does play a role. Setting this to no allowed external authentication again. Not with osTicket. It allowed other services I was having issues authenticating with. I will attempt to enable TLS on those applications so I can use the default behavior. -- -James
lingpanda101 at gmail.com
2016-Apr-14 12:52 UTC
[Samba] Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2
On 4/13/2016 1:48 PM, lingpanda101 at gmail.com wrote:> On 4/13/2016 12:15 PM, lingpanda101 at gmail.com wrote: >> Hello, >> >> After upgrading all external services will no longer authenticate >> to the domain. One of those is osTicket. Looking through the release >> notes I figured this would happen. However I'm a bit tentative to >> make changes to my smb.conf without doing damage and asking for help >> from the list. I have 6 DC's. One holds all the FMSO roles. This is >> the smb.conf from that DC. >> >> [global] >> workgroup = DOMAIN >> realm = DOMAIN.LOCAL >> netbios name = PFDC1 >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> idmap_ldb:use rfc2307 = Yes >> >> log level = 0 >> logging = syslog at 1 file >> debug uid = Yes >> debug pid = Yes >> >> allow dns updates = nonsecure >> >> load printers = No >> printcap name = /dev/null >> disable spoolss = Yes >> >> # Add and Update TLS Key >> tls enabled = yes >> tls keyfile = tls/sambaKey.pem >> tls certfile = tls/sambaCert.pem >> tls cafile >> >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> The only difference this DC has in it's smb.conf from the others is >> the TLS key section. I needed to create a custom self-signed >> certificate for another service that required a stronger key. 2048 >> bit. Not sure if this has any bearing on my issue. I think my issue >> has to do with the the following value >> >> 'ldap server require strong auth = yes' >> >> Is this where I should be looking? For reference this is how I setup >> osTicket parameters for external ldap authentication. >> >> http://blog.zwiegnet.com/linux-server/configure-osticket-for-ldap-authentication/ >> >> >> Dc's are all Ubuntu 12.04. Installed Samba from tar and the following >> commands. >> >> ./configure >> make >> make install >> >> Installation went fine without error. Thanks. >> > As I suspected the line > > 'ldap server require strong auth = yes' > > does play a role. Setting this to no allowed external authentication > again. Not with osTicket. It allowed other services I was having > issues authenticating with. I will attempt to enable TLS on those > applications so I can use the default behavior. > > > > > >The issue with osTicket was I needed to add 'ldap server require strong auth = yes' to the second DC's smb.conf in the site. Oversight on my part. Can someone explain the difference between 'allow_sasl_over_tls' and 'yes' options? More specifically 'yes', as the prior option seems self explanatory. Thanks. -- -James
Maybe Matching Threads
- Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2
- Unable to authenticate ldap externally after upgrade from 4.4.0 to 4.4.2
- Upgrade from 4.11.6 to 4.12.2 created authentication issues
- Secure dynamic update failure with internal DNS
- missing dns records? _ldaps._tcp ?