Hi,
I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b
"ou=Users,dc=domain,dc=com"
I have tested authentication with ssl from an external application and work
OK and seems correctly configured
I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...
how can I query samba 4 AD ldap with ldapsearch?
Thanks
Hi> how can I query samba 4 AD ldap with ldapsearch?Just don't use ldaps://, instead use Kerberos (-k yes): kinit administrator ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes I know it seems strange, but direct encryption with Kerberos is more secure than LDAP over SSL/TLS. Therefore, we only accept simple binds over ldaps:// by default, or: ldap server require strong auth = no Hope that helps, MJ
Hi, First of all thans for you answer. I have tried but is not working, we receive: # kinit administrator Password for administrator at DOM.COM: Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12 PM CEST # ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null) Failed to connect to ldap://debian8DC1 - (null) It is possible to keep same or similar configuration used with samba 3 + openldap to make querys to ldap, we have many scripts using ldapsearch... It is possible keep scripts using ldapsearch? Thanks 2016-06-17 16:20 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:> Hi, > > I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated > data and it seems correct, but now we need to connect with ldapsearch but > always receive errors like > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > command used is > /usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D > "uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com" > > I have tested authentication with ssl from an external application and > work OK and seems correctly configured > > I have tried to run ldapsearch with ssl and without but always receive > errors. Using ldapadmin client I can connect with gssapi with port 389, but > with ldapsearch I can't work... > > how can I query samba 4 AD ldap with ldapsearch? > > > Thanks >
On my side i neede TLS_REQCERT allow in /etc/ldap.conf to get ldaps working. To use unencrypted connections add ldap server require strong auth = no To the global section of smb.conf. achim~ Am 19.06.2016 um 18:55 schrieb Trenta sis:> Hi, > > First of all thans for you answer. > > I have tried but is not working, we receive: > > # kinit administrator > Password for administrator at DOM.COM: > Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12 > PM CEST > > # ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null) > Failed to connect to ldap://debian8DC1 - (null) > > It is possible to keep same or similar configuration used with samba 3 + > openldap to make querys to ldap, we have many scripts using ldapsearch... > It is possible keep scripts using ldapsearch? > > Thanks > > > 2016-06-17 16:20 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > >> Hi, >> >> I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated >> data and it seems correct, but now we need to connect with ldapsearch but >> always receive errors like >> ldap_bind: Strong(er) authentication required (8) >> additional info: BindSimple: Transport encryption required. >> >> command used is >> /usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D >> "uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com" >> >> I have tested authentication with ssl from an external application and >> work OK and seems correctly configured >> >> I have tried to run ldapsearch with ssl and without but always receive >> errors. Using ldapadmin client I can connect with gssapi with port 389, but >> with ldapsearch I can't work... >> >> how can I query samba 4 AD ldap with ldapsearch? >> >> >> Thanks >>
On 19/06/16 17:55, Trenta sis wrote:> Hi, > > First of all thans for you answer. > > I have tried but is not working, we receive: > > # kinit administrator > Password for administrator at DOM.COM: > Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12 > PM CEST > > # ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null) > Failed to connect to ldap://debian8DC1 - (null) > > It is possible to keep same or similar configuration used with samba 3 + > openldap to make querys to ldap, we have many scripts using ldapsearch... > It is possible keep scripts using ldapsearch? > > Thanks > > > 2016-06-17 16:20 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > >> Hi, >> >> I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated >> data and it seems correct, but now we need to connect with ldapsearch but >> always receive errors like >> ldap_bind: Strong(er) authentication required (8) >> additional info: BindSimple: Transport encryption required. >> >> command used is >> /usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D >> "uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com" >> >> I have tested authentication with ssl from an external application and >> work OK and seems correctly configured >> >> I have tried to run ldapsearch with ssl and without but always receive >> errors. Using ldapadmin client I can connect with gssapi with port 389, but >> with ldapsearch I can't work... >> >> how can I query samba 4 AD ldap with ldapsearch? >> >> >> Thanks >>OK, I think your search isn't quite right, when I kinit as Administrator, then run this: rowland at devstation:~$ ldbsearch -H ldap://dc1 -b "dc=samdom,dc=example,dc=com" -s sub '(samaccountname=Administrator)' -k yes I get this: # record 1 dn: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20151106115615.0Z uSNCreated: 3545 name: Administrator objectGUID: fc9d301b-d893-4cc7-8167-8d977c531afb badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 pwdLastSet: 130912845750000000 primaryGroupID: 513 objectSid: S-1-5-21-1768301897-3342589593-1064908849-500 adminCount: 1 logonCount: 0 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=samdom,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=samdom,DC=example,DC=com memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com userAccountControl: 66048 accountExpires: 0 lastLogonTimestamp: 131107485215380620 whenChanged: 20160618183521.0Z uSNChanged: 228749 lastLogon: 131108323871862570 distinguishedName: CN=Administrator,CN=Users,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 4 records # 1 entries # 3 referrals So you see it does work. Only thing else I can think of, do you have libpam-krb5 installed on the DC & Unix clients ? Rowland
Hi, solved only making this changes : in /etc/ldap/ldap.conf add TLS_CACERT /etc/ldap/ca.pem.crt sample query with ldaps # ldapsearch -H ldaps://server -x -LLL -z 0 -D "CN=user,CN=Users,DC=domain,DC=com" -w "p" -b "CN=Users,DC=domain,DC=com" Solved! Thanks 2016-06-19 18:55 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:> Hi, > > First of all thans for you answer. > > I have tried but is not working, we receive: > > # kinit administrator > Password for administrator at DOM.COM: > Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12 > PM CEST > > # ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null) > Failed to connect to ldap://debian8DC1 - (null) > > It is possible to keep same or similar configuration used with samba 3 + > openldap to make querys to ldap, we have many scripts using ldapsearch... > It is possible keep scripts using ldapsearch? > > Thanks > > > 2016-06-17 16:20 GMT+02:00 Trenta sis <trenta.sis at gmail.com>: > >> Hi, >> >> I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated >> data and it seems correct, but now we need to connect with ldapsearch but >> always receive errors like >> ldap_bind: Strong(er) authentication required (8) >> additional info: BindSimple: Transport encryption required. >> >> command used is >> /usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D >> "uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com" >> >> I have tested authentication with ssl from an external application and >> work OK and seems correctly configured >> >> I have tried to run ldapsearch with ssl and without but always receive >> errors. Using ldapadmin client I can connect with gssapi with port 389, but >> with ldapsearch I can't work... >> >> how can I query samba 4 AD ldap with ldapsearch? >> >> >> Thanks >> > >