samba - Jul 2017 - LDAP authentication not working

Hi everyone!

I just upgraded my Samba PDC to a active directory (I followed the migration
instruction of samba-wiki). Without any error message or something. *happy*

My PDC was running with a bind9 and slapd->openLDAP. I just turned both
services off and want to use the samba-internal ones.

My problem now is that I can't login with my domain members (just tried it
on my server -> debian stretch).here my details:

*smb.com*
[global]
        workgroup = EXAMPLE
        realm = example.com
        netbios name = PDC
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 8.8.8.8
        interfaces = br0
        ldap server require strong auth = no
[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

*krb5.conf*
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

*/etc/hosts*
127.0.0.1       localhost
192.168.0.2    hk-server-01.example.com hk-server-01

*/etc/hostname*
hk-server-01

*/etc/resolv.conf*
search example.com
nameserver 192.168.0.1

*/etc/named.conf*
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

*/etc/named.conf.local*
include "/var/lib/samba/private/named.conf";

*/etc/named.conf.options*
options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;

        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

*/etc/named.conf.default-zones*
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

*/etc/nsswitch.conf*
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap
networks:       files ldap

protocols:      db files ldap
services:       db files ldap
ethers:         db files ldap
rpc:            db files ldap

netgroup:       nis ldap
aliases:        ldap

*/etc/nslcd.conf*
uid nslcd
gid nslcd
uri ldap://127.0.0.1/
base dc=example,dc=com
pagesize 1000
referrals off
ldap_version 3
tls_cacertfile /etc/ssl/certs/ca-certificates.crt



I tried

The samba service is running but with a warning:
● samba-ad-dc.service - Samba AD Daemon
   Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
preset: enabled)
   Active: active (running) since Mon 2017-07-10 12:12:06 CEST; 3h 11min ago
     Docs: man:samba(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 1247 (samba)
   Status: "smbd: ready to serve connections..."
   Memory: 202.4M
      CPU: 46.634s
   CGroup: /system.slice/samba-ad-dc.service
           ├─1247 /usr/sbin/samba
           ├─1299 /usr/sbin/samba
           ├─1300 /usr/sbin/samba
           ├─1301 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─1302 /usr/sbin/samba
           ├─1303 /usr/sbin/samba
           ├─1304 /usr/sbin/samba
           ├─1305 /usr/sbin/samba
           ├─1306 /usr/sbin/samba
           ├─1307 /usr/sbin/samba
           ├─1308 /usr/sbin/samba
           ├─1309 /usr/sbin/samba
           ├─1310 /usr/sbin/samba
           ├─1311 /usr/sbin/samba
           ├─1312 /usr/sbin/samba
           ├─1313 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ├─1345 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─1346 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ├─1353 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           └─1373 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground

I just tried this ldapsearch command:
ldapsearch -H ldap://localhost -x
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 00002020: Operation unavailable without authentication

# numResponses: 1


seems like a authentication problem.As you can see I added"ldap server
require strong auth = no" to my smb.conf but it don't work for my
problem
:/..........Has anyone a tip for me?

thanks! 



--
View this message in context:
http://samba.2283325.n4.nabble.com/LDAP-authentication-not-working-tp4721248.html
Sent from the Samba - General mailing list archive at Nabble.com.

On Mon, 2017-07-10 at 23:18 -0700, Bartra1212 via samba
wrote:
> I just tried this ldapsearch command:
> ldapsearch -H ldap://localhost -x
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
Unlike common configurations with OpenLDAP, Samba and Windows AD
require authentication before you can access the domain tree.
> # numResponses: 1
> 
> 
> seems like a authentication problem.As you can see I added"ldap server
> require strong auth = no" to my smb.conf but it don't work for my
problem
> :/..........Has anyone a tip for me?
The setting you set is about allowing simple binds unprotected by SSL,
allowing sessions to be trivially taken over by anyone on the network. 
  (that is why the default is yes).   It isn't about allowing anonymous
access, which is enabled with the same in-directory setting as windows
AD, but which really shouldn't be set. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Mon, 10 Jul 2017 23:18:28 -0700 (PDT)
Bartra1212 via samba <samba at lists.samba.org> wrote:
> Hi everyone!
> 
> I just upgraded my Samba PDC to a active directory (I followed the
> migration instruction of samba-wiki). Without any error message or
> something. *happy*
> 
> My PDC was running with a bind9 and slapd->openLDAP. I just turned
> both services off and want to use the samba-internal ones.
> 
> My problem now is that I can't login with my domain members (just
> tried it on my server -> debian stretch).here my details:
> 
> *smb.com*
> [global]
>         workgroup = EXAMPLE
>         realm = example.com
>         netbios name = PDC
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 8.8.8.8
>         interfaces = br0
>         ldap server require strong auth = no
> [netlogon]
>         path = /var/lib/samba/sysvol/example.com/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> *krb5.conf*
> [libdefaults]
>         default_realm = EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> */etc/hosts*
> 127.0.0.1       localhost
> 192.168.0.2    hk-server-01.example.com hk-server-01
> 
> */etc/hostname*
> hk-server-01
> 
> */etc/resolv.conf*
> search example.com
> nameserver 192.168.0.1
> 
> */etc/named.conf*
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> 
> */etc/named.conf.local*
> include "/var/lib/samba/private/named.conf";
> 
> */etc/named.conf.options*
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>         notify no;
>         empty-zones-enable no;
>         allow-query { 127.0.0.1; 192.168.0.0/24; };
>         allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
>         forwarders { 8.8.8.8; };
>         allow-transfer { none; };
>         dnssec-validation no;
>         dnssec-enable no;
> 
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.2; 127.0.0.1; };
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
> 
> */etc/named.conf.default-zones*
> zone "." {
>         type hint;
>         file "/etc/bind/db.root";
> };
> 
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
> 
> */etc/nsswitch.conf*
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap
> networks:       files ldap
> 
> protocols:      db files ldap
> services:       db files ldap
> ethers:         db files ldap
> rpc:            db files ldap
> 
> netgroup:       nis ldap
> aliases:        ldap
> 
> */etc/nslcd.conf*
> uid nslcd
> gid nslcd
> uri ldap://127.0.0.1/
> base dc=example,dc=com
> pagesize 1000
> referrals off
> ldap_version 3
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
> 
> 
> 
> I tried
> 
> The samba service is running but with a warning:
> ● samba-ad-dc.service - Samba AD Daemon
>    Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
>    Active: active (running) since Mon 2017-07-10 12:12:06 CEST; 3h
> 11min ago Docs: man:samba(8)
>            man:samba(7)
>            man:smb.conf(5)
>  Main PID: 1247 (samba)
>    Status: "smbd: ready to serve connections..."
>    Memory: 202.4M
>       CPU: 46.634s
>    CGroup: /system.slice/samba-ad-dc.service
>            ├─1247 /usr/sbin/samba
>            ├─1299 /usr/sbin/samba
>            ├─1300 /usr/sbin/samba
>            ├─1301 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1302 /usr/sbin/samba
>            ├─1303 /usr/sbin/samba
>            ├─1304 /usr/sbin/samba
>            ├─1305 /usr/sbin/samba
>            ├─1306 /usr/sbin/samba
>            ├─1307 /usr/sbin/samba
>            ├─1308 /usr/sbin/samba
>            ├─1309 /usr/sbin/samba
>            ├─1310 /usr/sbin/samba
>            ├─1311 /usr/sbin/samba
>            ├─1312 /usr/sbin/samba
>            ├─1313 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1345 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1346 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>            ├─1353 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            └─1373 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> 
> I just tried this ldapsearch command:
> ldapsearch -H ldap://localhost -x
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 1 Operations error
> text: 00002020: Operation unavailable without authentication
> 
> # numResponses: 1
> 
> 
> seems like a authentication problem.As you can see I added"ldap server
> require strong auth = no" to my smb.conf but it don't work for my
> problem :/..........Has anyone a tip for me?
> 
> thanks! 
> 
Is there a reason why you need to use nslcd instead of winbind ?

Rowland