samba - Mar 2017 - LDAP logins failing after installing Samba 4.4.5

On Tue, 2017-03-07 at 09:05 +0000, Rowland Penny via samba
wrote:
> On Tue, 7 Mar 2017 01:50:31 +0100
> Bart Coninckx via samba <samba at lists.samba.org> wrote:
> 
> > Hi all,
> > 
> >  
> > I had an LDAP application (mailserver) running on Samba 4.1.3 which
> > wrked flawlessly. Also using an LDAP browser with a simple bind
> > worked OK.
> > 
> > I than replaced the Samba installation with version 4.5 and the
> > LDAP
> > functionality broke. I first thought it had to do with a non-SSL or
> > non -TLS and though I now get an error message when doing a simple
> > bind without encryption, activating encryption does not work
> > either.
> > 
> >  
> > Is there a way to configure how Samba expects LDAP binds to happen?
> 
> AD does not allow simple binds, It might help if you told us just
> what
> mailserver you are using.
To be clear, AD does allow simple binds.  We restrict them in Samba per
the "ldap server require strong auth" parameter. 

Thanks,

Andrew Bartlett

>> AD does not allow simple binds, It might help if you told us just
>> what
>> mailserver you are using.
>To be clear, AD does allow simple binds.  We restrict them in Samba per
>the "ldap server require strong auth" parameter. 
>Thanks,
>Andrew Bartlett
 
Hi,

 
This was exactly what the mailserver people suggested and it worked
beautifully. 

Since the connection is local, encryption, though better, can be done without. I
was thinking that simple bind activation needed to be done with a GPO, but a
parameter in smb.conf makes of course more sense.

 
BC

On Wed, 08 Mar 2017 10:22:27 +1300
Andrew Bartlett <abartlet at samba.org> wrote:
> 
> To be clear, AD does allow simple binds.  We restrict them in Samba
> per the "ldap server require strong auth" parameter. 
> 
It all depends on your definition of 'simple', mine was without
authenticated username and password.

Rowland

On Wed, 2017-03-08 at 08:41 +0000, Rowland Penny via samba
wrote:
> On Wed, 08 Mar 2017 10:22:27 +1300
> Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > 
> > To be clear, AD does allow simple binds.  We restrict them in Samba
> > per the "ldap server require strong auth" parameter. 
> > 
> 
> It all depends on your definition of 'simple', mine was without
> authenticated username and password.
The words "simple bind" have a specific meaning in the spec:

https://tools.ietf.org/html/rfc4513#section-5.1

(What we don't implement is 5.1.2, that is treating a user DN but no
password as special, we will just fail the login with
invalidCredentials rather than unwillingToPerform).

I hope this helps clarify the terms in use here,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba