I am working through the book _Implementing Samba 4_ and revalidating
my existing install. I am at the point where I need to check the
contents of the ldap database. The instructions in the book say to do
this:
ldapsearch -x -h localhost -s base - \
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
-W
Which produces this output:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: -
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
-W
#
#
dn:
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Which I take to be a success given the result. But this does not ask
for the Password as I expected. Moving the -W switch to before the
subject name results in a password prompt but entering the
Administrator password fails authentication:
ldapsearch -vv -x -h localhost -s base -W -
Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca
ldap_initialize( ldap://localhost )
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
What am I doing wrong? I am trying all this as the root user. There
is no Administrator user in /etc/passwd. Are the credentials being
requested those for the root user or for the Administrator user?
Neither work. Why is it succeeding when no password is requested? If
I do a klist then this is the result:
klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator at DOMAIN-02.HARTE-LYNE.CA
Issued Expires Principal
Jul 6 15:11:53 2016 Jul 7 01:11:53 2016
krbtgt/DOMAIN-02.HARTE-LYNE.CA at DOMAIN-02.HARTE-LYNE.CA
is this where ldap is getting its authentication?
I request your indulgence with respect to these questions. It has been
about 15 years since I last set up an AD-DC and I have zero previous
experience with Samba.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
On 06/07/16 21:27, James B. Byrne wrote:> I am working through the book _Implementing Samba 4_ and revalidating > my existing install. I am at the point where I need to check the > contents of the ldap database. The instructions in the book say to do > this:What book?? Have you tried reading the Samba wiki: https://wiki.samba.org/index.php/Main_Page> > ldapsearch -x -h localhost -s base - \ > Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca > -WI take it you are running the above command on the Samba 4 DC, try this instead: ldbsearch -H ldap://localhost -b 'cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca' -s sub (cn=Administrator)' -U <a domain user>> > Which produces this output: > > # extended LDIF > # > # LDAPv3 > # base <> (default) with scope baseObject > # filter: (objectclass=*) > # requesting: - > Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca > -W > # > > # > dn: > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Which I take to be a success given the result.Ah no, it should have dumped the entire AD contents.> But this does not ask > for the Password as I expected. Moving the -W switch to before the > subject name results in a password prompt but entering the > Administrator password fails authentication: > > ldapsearch -vv -x -h localhost -s base -W - > Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca > ldap_initialize( ldap://localhost ) > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE > > > What am I doing wrong? I am trying all this as the root user. There > is no Administrator user in /etc/passwd. Are the credentials being > requested those for the root user or for the Administrator user? > Neither work. Why is it succeeding when no password is requested?It isn't succeeding and I suggest you use ldb-tools instead of ldap-tools Rowland> If > I do a klist then this is the result: > > klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: Administrator at DOMAIN-02.HARTE-LYNE.CA > > Issued Expires Principal > Jul 6 15:11:53 2016 Jul 7 01:11:53 2016 > krbtgt/DOMAIN-02.HARTE-LYNE.CA at DOMAIN-02.HARTE-LYNE.CA > > > is this where ldap is getting its authentication? > > I request your indulgence with respect to these questions. It has been > about 15 years since I last set up an AD-DC and I have zero previous > experience with Samba. >
Am 06.07.2016 um 22:27 schrieb James B. Byrne:> I am working through the book _Implementing Samba 4_ and revalidating > my existing install. I am at the point where I need to check the > contents of the ldap database. The instructions in the book say to do > this: > > ldapsearch -x -h localhost -s base - \ > Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca > -W > > Which produces this output: > > # extended LDIF > # > # LDAPv3 > # base <> (default) with scope baseObject > # filter: (objectclass=*) > # requesting: - > Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca > -W > # > > # > dn: > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > Which I take to be a success given the result. But this does not ask > for the Password as I expected. Moving the -W switch to before the > subject name results in a password prompt but entering the > Administrator password fails authentication: > > ldapsearch -vv -x -h localhost -s base -W - > Dcn=Administrator,cn=Users,dc=server-02,dc=domain-02,dc=harte-lyne,dc=ca > ldap_initialize( ldap://localhost ) > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE > > > What am I doing wrong? I am trying all this as the root user. There > is no Administrator user in /etc/passwd. Are the credentials being > requested those for the root user or for the Administrator user? > Neither work. Why is it succeeding when no password is requested? If > I do a klist then this is the result: > > klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: Administrator at DOMAIN-02.HARTE-LYNE.CA > > Issued Expires Principal > Jul 6 15:11:53 2016 Jul 7 01:11:53 2016 > krbtgt/DOMAIN-02.HARTE-LYNE.CA at DOMAIN-02.HARTE-LYNE.CA > > > is this where ldap is getting its authentication? > > I request your indulgence with respect to these questions. It has been > about 15 years since I last set up an AD-DC and I have zero previous > experience with Samba. >If you want to stick with ldap-tools instead of ldb-tools you have a few options. 1. Use TLS and the samba CA Cert. Add TLS_CACERT /var/lib/samba/private/tls/ca.pem To /etc/ldap/lkdap.conf, the path to the file may be different on your machine. If the Cert is expired and you do not want to renew it you may also use TLS_REQCERT allow Instead. Now add the -Z option to yout ldapsearch parameters and the query should succeed. 2. Use GSSAPI Add SASL_MECH gssapi to /etc/ldap/ldap.conf Run kinit Administrator Afterwards ldapsearch works without -W -x (-Z). 3. Allow simple binds (unsecure) Add ldap server require strong auth = no to smb.conf, restart samba and your querys should work unmodified.