Andrew Bartlett
2017-Mar-07 21:22 UTC
[Samba] LDAP logins failing after installing Samba 4.4.5
On Tue, 2017-03-07 at 09:05 +0000, Rowland Penny via samba wrote:> On Tue, 7 Mar 2017 01:50:31 +0100 > Bart Coninckx via samba <samba at lists.samba.org> wrote: > > > Hi all, > > > > > > I had an LDAP application (mailserver) running on Samba 4.1.3 which > > wrked flawlessly. Also using an LDAP browser with a simple bind > > worked OK. > > > > I than replaced the Samba installation with version 4.5 and the > > LDAP > > functionality broke. I first thought it had to do with a non-SSL or > > non -TLS and though I now get an error message when doing a simple > > bind without encryption, activating encryption does not work > > either. > > > > > > Is there a way to configure how Samba expects LDAP binds to happen? > > AD does not allow simple binds, It might help if you told us just > what > mailserver you are using.To be clear, AD does allow simple binds. We restrict them in Samba per the "ldap server require strong auth" parameter. Thanks, Andrew Bartlett
Bart Coninckx
2017-Mar-07 21:58 UTC
[Samba] LDAP logins failing after installing Samba 4.4.5
>> AD does not allow simple binds, It might help if you told us just >> what >> mailserver you are using.>To be clear, AD does allow simple binds. We restrict them in Samba per >the "ldap server require strong auth" parameter.>Thanks,>Andrew BartlettHi, This was exactly what the mailserver people suggested and it worked beautifully. Since the connection is local, encryption, though better, can be done without. I was thinking that simple bind activation needed to be done with a GPO, but a parameter in smb.conf makes of course more sense. BC
Rowland Penny
2017-Mar-08 08:41 UTC
[Samba] LDAP logins failing after installing Samba 4.4.5
On Wed, 08 Mar 2017 10:22:27 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> > To be clear, AD does allow simple binds. We restrict them in Samba > per the "ldap server require strong auth" parameter. >It all depends on your definition of 'simple', mine was without authenticated username and password. Rowland
Andrew Bartlett
2017-Mar-08 17:59 UTC
[Samba] LDAP logins failing after installing Samba 4.4.5
On Wed, 2017-03-08 at 08:41 +0000, Rowland Penny via samba wrote:> On Wed, 08 Mar 2017 10:22:27 +1300 > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > To be clear, AD does allow simple binds. We restrict them in Samba > > per the "ldap server require strong auth" parameter. > > > > It all depends on your definition of 'simple', mine was without > authenticated username and password.The words "simple bind" have a specific meaning in the spec: https://tools.ietf.org/html/rfc4513#section-5.1 (What we don't implement is 5.1.2, that is treating a user DN but no password as special, we will just fail the login with invalidCredentials rather than unwillingToPerform). I hope this helps clarify the terms in use here, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba