Alan Hughes
2016-Jul-08 11:37 UTC
[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Last night we updated out Samba-4 AD server to version 4.2.14 usng the SERNEt packages, running on SLES 12. We have a number of services (mail services, MANTIS, etc) that access the server via the LDAP interface and in all cases we discovered that none of them where able to establish a successful LDAP connection after the upgrade. Previously we used plain LDAP to access the server, i.e. we did not use SSL/TLS. However it appears that the Samba-4 server is now insisting on using SSL/TLS regardless of the settings; if I attempt to perform an LDAP query without SSL/TLS I get: ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. Note that this used to work prior to the upgrade. Attempting to access via TLS: ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. Attempting to access via SSL: ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b ** ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Note that we have not installed any certificates since we are not wanting to use encrypted connections at the moment. Setting "enable tls = no" in "smb.conf" does not work - we see the same as above. Does anyone have any ideas? I'm stuck on this. Further information (just in case someone thinks it might be useful - the global section from our "smb.conf" file: [global] workgroup = E2E realm = AD.CORPORATE.E2E netbios name = JANUS server role = active directory domain controller server services = -dns, -dnsupdate, -winbind, +winbindd dns forwarder = 217.13.128.17 idmap_ldb:use rfc2307 = yes idmap config E2E:backend = ad idmap config E2E:schema_mode = rfc2307 idmap config E2E:range = 10000-40000 idmap config *:backend = tdb idmap config *:range = 2000-9999 winbind nss info = rfc2307 rpc_server:spoolss = external rpc_daemon:spoolssd = fork Port status: tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 12317/samba tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 12321/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 12321/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 12321/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 12317/samba tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 12323/samba tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 12323/samba tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 12321/samba tcp 0 0 :::1024 :::* LISTEN 12317/samba tcp 0 0 :::3268 :::* LISTEN 12321/samba tcp 0 0 :::3269 :::* LISTEN 12321/samba tcp 0 0 :::389 :::* LISTEN 12321/samba tcp 0 0 :::135 :::* LISTEN 12317/samba tcp 0 0 :::464 :::* LISTEN 12323/samba tcp 0 0 :::88 :::* LISTEN 12323/samba tcp 0 0 :::636 :::* LISTEN 12321/samba Thanks in advance. Alan
Guilherme Boing
2016-Jul-08 11:59 UTC
[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Hello Alan, I had the same issue and I needed to add this line: ldap server require strong auth = no to smb.conf. Then, just restart/reload samba and it should work. On Fri, Jul 8, 2016 at 8:37 AM, Alan Hughes <alanhughes at e2eservices.co.uk> wrote:> Last night we updated out Samba-4 AD server to version 4.2.14 usng the > SERNEt packages, running on SLES 12. We have a number of services (mail > services, MANTIS, etc) that access the server via the LDAP interface and in > all cases we discovered that none of them where able to establish a > successful LDAP connection after the upgrade. > > > Previously we used plain LDAP to access the server, i.e. we did not use > SSL/TLS. However it appears that the Samba-4 server is now insisting on > using SSL/TLS regardless of the settings; if I attempt to perform an LDAP > query without SSL/TLS I get: > > > ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > Note that this used to work prior to the upgrade. > > > Attempting to access via TLS: > > > ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > Attempting to access via SSL: > > > ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b ** > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > Note that we have not installed any certificates since we are not wanting > to use encrypted connections at the moment. > > > Setting "enable tls = no" in "smb.conf" does not work - we see the same as > above. > > > Does anyone have any ideas? I'm stuck on this. > > > Further information (just in case someone thinks it might be useful - the > global section from our "smb.conf" file: > > > [global] > workgroup = E2E > realm = AD.CORPORATE.E2E > netbios name = JANUS > server role = active directory domain controller > server services = -dns, -dnsupdate, -winbind, +winbindd > dns forwarder = 217.13.128.17 > idmap_ldb:use rfc2307 = yes > idmap config E2E:backend = ad > idmap config E2E:schema_mode = rfc2307 > idmap config E2E:range = 10000-40000 > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > winbind nss info = rfc2307 > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > > > Port status: > > > tcp 0 0 0.0.0.0:1024 0.0.0.0:* > LISTEN 12317/samba > tcp 0 0 0.0.0.0:3268 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 0.0.0.0:3269 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 0.0.0.0:389 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 0.0.0.0:135 0.0.0.0:* > LISTEN 12317/samba > tcp 0 0 0.0.0.0:464 0.0.0.0:* > LISTEN 12323/samba > tcp 0 0 0.0.0.0:88 0.0.0.0:* > LISTEN 12323/samba > tcp 0 0 0.0.0.0:636 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 :::1024 :::* > LISTEN 12317/samba > tcp 0 0 :::3268 :::* > LISTEN 12321/samba > tcp 0 0 :::3269 :::* > LISTEN 12321/samba > tcp 0 0 :::389 :::* > LISTEN 12321/samba > tcp 0 0 :::135 :::* > LISTEN 12317/samba > tcp 0 0 :::464 :::* > LISTEN 12323/samba > tcp 0 0 :::88 :::* > LISTEN 12323/samba > tcp 0 0 :::636 :::* > LISTEN 12321/samba > > Thanks in advance. > > > Alan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Alan Hughes
2016-Jul-08 12:01 UTC
[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Yep that fixed it. I found out (at the same time as the reply Guilherme arrived in my inbox) that option was added in 4.2.10. Added to smb.conf and everything is now working again. Alan -----Original message----- From:Guilherme Boing <kolt+samba at frag.com.br> Sent:Fri 08-07-2016 12:59 Subject:Re: [Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access To:Alan Hughes <alanhughes at e2eservices.co.uk>; CC:samba at lists.samba.org; Hello Alan, I had the same issue and I needed to add this line: ldap server require strong auth = no to smb.conf. Then, just restart/reload samba and it should work. On Fri, Jul 8, 2016 at 8:37 AM, Alan Hughes <alanhughes at e2eservices.co.uk> wrote: Last night we updated out Samba-4 AD server to version 4.2.14 usng the SERNEt packages, running on SLES 12. We have a number of services (mail services, MANTIS, etc) that access the server via the LDAP interface and in all cases we discovered that none of them where able to establish a successful LDAP connection after the upgrade. Previously we used plain LDAP to access the server, i.e. we did not use SSL/TLS. However it appears that the Samba-4 server is now insisting on using SSL/TLS regardless of the settings; if I attempt to perform an LDAP query without SSL/TLS I get: ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. Note that this used to work prior to the upgrade. Attempting to access via TLS: ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. Attempting to access via SSL: ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b ** ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Note that we have not installed any certificates since we are not wanting to use encrypted connections at the moment. Setting "enable tls = no" in "smb.conf" does not work - we see the same as above. Does anyone have any ideas? I'm stuck on this. Further information (just in case someone thinks it might be useful - the global section from our "smb.conf" file: [global] workgroup = E2E realm = AD.CORPORATE.E2E netbios name = JANUS server role = active directory domain controller server services = -dns, -dnsupdate, -winbind, +winbindd dns forwarder = 217.13.128.17 idmap_ldb:use rfc2307 = yes idmap config E2E:backend = ad idmap config E2E:schema_mode = rfc2307 idmap config E2E:range = 10000-40000 idmap config *:backend = tdb idmap config *:range = 2000-9999 winbind nss info = rfc2307 rpc_server:spoolss = external rpc_daemon:spoolssd = fork Port status: tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 12317/samba tcp 0 0 0.0.0.0:3268 0.0.0.0:* LISTEN 12321/samba tcp 0 0 0.0.0.0:3269 0.0.0.0:* LISTEN 12321/samba tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 12321/samba tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 12317/samba tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 12323/samba tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 12323/samba tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 12321/samba tcp 0 0 :::1024 :::* LISTEN 12317/samba tcp 0 0 :::3268 :::* LISTEN 12321/samba tcp 0 0 :::3269 :::* LISTEN 12321/samba tcp 0 0 :::389 :::* LISTEN 12321/samba tcp 0 0 :::135 :::* LISTEN 12317/samba tcp 0 0 :::464 :::* LISTEN 12323/samba tcp 0 0 :::88 :::* LISTEN 12323/samba tcp 0 0 :::636 :::* LISTEN 12321/samba Thanks in advance. Alan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-Jul-08 12:02 UTC
[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Hai, Please read : https://www.samba.org/samba/history/ from 12 April 2016 and below that. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases Available for Download What you see is correct. And> Note that we have not installed any certificates since we are not wanting > to use encrypted connections at the moment.Then set : ldap server require strong auth = no but please read the change logs it explains all. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alan Hughes > Verzonden: vrijdag 8 juli 2016 13:37 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access > > Last night we updated out Samba-4 AD server to version 4.2.14 usng the > SERNEt packages, running on SLES 12. We have a number of services (mail > services, MANTIS, etc) that access the server via the LDAP interface and > in all cases we discovered that none of them where able to establish a > successful LDAP connection after the upgrade. > > > Previously we used plain LDAP to access the server, i.e. we did not use > SSL/TLS. However it appears that the Samba-4 server is now insisting on > using SSL/TLS regardless of the settings; if I attempt to perform an LDAP > query without SSL/TLS I get: > > > ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > Note that this used to work prior to the upgrade. > > > Attempting to access via TLS: > > > ldapsearch -H 'ldap://172.16.6.2:389/' -D *** -w *** -b ** -Z > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > > Attempting to access via SSL: > > > ldapsearch -H 'ldaps://172.16.6.2:636/' -D *** -w *** -b ** > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > Note that we have not installed any certificates since we are not wanting > to use encrypted connections at the moment. > > > Setting "enable tls = no" in "smb.conf" does not work - we see the same as > above. > > > Does anyone have any ideas? I'm stuck on this. > > > Further information (just in case someone thinks it might be useful - the > global section from our "smb.conf" file: > > > [global] > workgroup = E2E > realm = AD.CORPORATE.E2E > netbios name = JANUS > server role = active directory domain controller > server services = -dns, -dnsupdate, -winbind, +winbindd > dns forwarder = 217.13.128.17 > idmap_ldb:use rfc2307 = yes > idmap config E2E:backend = ad > idmap config E2E:schema_mode = rfc2307 > idmap config E2E:range = 10000-40000 > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > winbind nss info = rfc2307 > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > > > Port status: > > > tcp 0 0 0.0.0.0:1024 0.0.0.0:* > LISTEN 12317/samba > tcp 0 0 0.0.0.0:3268 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 0.0.0.0:3269 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 0.0.0.0:389 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 0.0.0.0:135 0.0.0.0:* > LISTEN 12317/samba > tcp 0 0 0.0.0.0:464 0.0.0.0:* > LISTEN 12323/samba > tcp 0 0 0.0.0.0:88 0.0.0.0:* > LISTEN 12323/samba > tcp 0 0 0.0.0.0:636 0.0.0.0:* > LISTEN 12321/samba > tcp 0 0 :::1024 :::* > LISTEN 12317/samba > tcp 0 0 :::3268 :::* > LISTEN 12321/samba > tcp 0 0 :::3269 :::* > LISTEN 12321/samba > tcp 0 0 :::389 :::* > LISTEN 12321/samba > tcp 0 0 :::135 :::* > LISTEN 12317/samba > tcp 0 0 :::464 :::* > LISTEN 12323/samba > tcp 0 0 :::88 :::* > LISTEN 12323/samba > tcp 0 0 :::636 :::* > LISTEN 12321/samba > > Thanks in advance. > > > Alan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
2016-Jul-08 15:05 UTC
[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Hello Alan, Am 08.07.2016 um 13:37 schrieb Alan Hughes:> Last night we updated out Samba-4 AD server to version 4.2.14 > usng the SERNEt packages, running on SLES 12.Always check the release notes for new versions - including the ones you're skipping. This one contains the information you're looking for: https://www.samba.org/samba/history/samba-4.2.10.html And here in less technical words: :-) https://wiki.samba.org/index.php/Updating_Samba#Default_for_LDAP_Connections_Requires_Strong_Authentication_.28updating_from_.3C.3D4.4.0.2C_.3C.3D4.3.6_or_.3C.3D4.2.9.29 Regards, Marc
Marc Muehlfeld
2016-Jul-09 09:33 UTC
[Samba] Samba update to 4.2.14 (SERNET) breaks LDAP access
Am 08.07.2016 um 17:12 schrieb Alan Hughes:> Thanks, I realise that now. I discovered the info from the release > notes at about the same time that the first reply came in from the > list. Everything is working now. > > However it would be useful if > changes that might break existing configurations (because of changes > in behaviour or defaults that are now being applied correctly) are > highlighted a bit more prominently.I agree. It was not very good visible in the release note that introduced this. I know a lot of people, and we had this often here on the list as well, who run into this issue or temporarily broke stuff hooked up to AD by LDAP. However a good place to look at before you're updating, is https://wiki.samba.org/index.php/Updating_Samba#Other_changes_you_should_pay_attention_to.2C_when_updating It lists the major things, you should pay attention to. Regards, Marc