samba - Mar 2017 - NT_STATUS_LOGON_FAILURE when trying to bind LDAP

Hello,

  

I have a samba 4 active directory, i have some application who use the
Administrator user to bind the LDAP.

No problems with the Administrator user but i'd like to create an
application
specific user to bind the LDAP.

  

Unfortunately when i try to do a simple ldapsearch with the new user (the user
is in domain admins/administrators & schema admins) it throw me a
NT_STATUS_LOGON_FAILURE.

  

[root at dc tls]# id ssp  
uid=3000026(DOMAIN\ssp) gid=513(DOMAIN\domain users) groups=513(DOMAIN\domain
users),3000026(DOMAIN\ssp),512(DOMAIN\domain admins),3000003(DOMAIN\schema
admins),3000001(DOMAIN\denied rodc password replication
group),3000004(BUILTIN\users),544(BUILTIN\administrators)  
[root at dc tls]# ldapsearch -xLLL -H ldaps://localhost:636 -D
"CN=ssp,CN=Users,DC=domain,DC=be" -W -b "DC=domain,DC=be"  
Enter LDAP Password:  
ldap_bind: Invalid credentials (49)  
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE  

  

but i can connect in the domain

  

[root at dc tls]# smbclient  //dc/common -U 'DOMAIN\ssp'  
Enter DOMAIN\ssp's password:  
Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.5-SerNet-RedHat-13.el7]  
smb: \>  

  

So my first question, is it possible to create a user who have the full rights
in the LDAP ?

If yes, second question, how to create it ?

  

Thank you.

On Thu, 09 Mar 2017 10:51:07 +0000
contact--- via samba <samba at lists.samba.org> wrote:
> Hello,
> 
>   
> 
> I have a samba 4 active directory, i have some application who use the
> Administrator user to bind the LDAP.
> 
> No problems with the Administrator user but i'd like to create an
> application specific user to bind the LDAP.
> 
> 
> So my first question, is it possible to create a user who have the
> full rights in the LDAP ?
No, your first question should be 'Am I doing this correctly ?'

and the answer to that is, No ;-)

See here:

https://lists.samba.org/archive/samba/2017-February/206334.html

Rowland

On Thu, 09 Mar 2017 14:18:47 +0000
"contact at makz.me" <contact at makz.me> wrote:
> Hmmm thanks, i did the modifications, but i have this error  
>   
> 
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)  
> 
>   
> 
> Do i need to restart samba to apply the "ldap server require strong
> auth" ?
> 
>   
> 
> If yes, it's impossible right now, i have +600 users in production
> i'll restart this night. ^^'
> 
>   
Try 'smbcontrol all reload-config', if this doesn't work, then yes,
you
will have to restart Samba.

Rowland