Hi everyone! I just upgraded my Samba PDC to a active directory (I followed the migration instruction of samba-wiki). Without any error message or something. *happy* My PDC was running with a bind9 and slapd->openLDAP. I just turned both services off and want to use the samba-internal ones. My problem now is that I can't login with my domain members (just tried it on my server -> debian stretch).here my details: *smb.com* [global] workgroup = EXAMPLE realm = example.com netbios name = PDC server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 8.8.8.8 interfaces = br0 ldap server require strong auth = no [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No *krb5.conf* [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true */etc/hosts* 127.0.0.1 localhost 192.168.0.2 hk-server-01.example.com hk-server-01 */etc/hostname* hk-server-01 */etc/resolv.conf* search example.com nameserver 192.168.0.1 */etc/named.conf* include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; */etc/named.conf.local* include "/var/lib/samba/private/named.conf"; */etc/named.conf.options* options { directory "/var/cache/bind"; version "0.0.7"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 192.168.0.0/24; }; allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; forwarders { 8.8.8.8; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; listen-on-v6 { none; }; listen-on port 53 { 192.168.0.2; 127.0.0.1; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; */etc/named.conf.default-zones* zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; */etc/nsswitch.conf* passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap networks: files ldap protocols: db files ldap services: db files ldap ethers: db files ldap rpc: db files ldap netgroup: nis ldap aliases: ldap */etc/nslcd.conf* uid nslcd gid nslcd uri ldap://127.0.0.1/ base dc=example,dc=com pagesize 1000 referrals off ldap_version 3 tls_cacertfile /etc/ssl/certs/ca-certificates.crt I tried The samba service is running but with a warning: ● samba-ad-dc.service - Samba AD Daemon Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2017-07-10 12:12:06 CEST; 3h 11min ago Docs: man:samba(8) man:samba(7) man:smb.conf(5) Main PID: 1247 (samba) Status: "smbd: ready to serve connections..." Memory: 202.4M CPU: 46.634s CGroup: /system.slice/samba-ad-dc.service ├─1247 /usr/sbin/samba ├─1299 /usr/sbin/samba ├─1300 /usr/sbin/samba ├─1301 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─1302 /usr/sbin/samba ├─1303 /usr/sbin/samba ├─1304 /usr/sbin/samba ├─1305 /usr/sbin/samba ├─1306 /usr/sbin/samba ├─1307 /usr/sbin/samba ├─1308 /usr/sbin/samba ├─1309 /usr/sbin/samba ├─1310 /usr/sbin/samba ├─1311 /usr/sbin/samba ├─1312 /usr/sbin/samba ├─1313 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ├─1345 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─1346 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ├─1353 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground └─1373 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground I just tried this ldapsearch command: ldapsearch -H ldap://localhost -x # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00002020: Operation unavailable without authentication # numResponses: 1 seems like a authentication problem.As you can see I added"ldap server require strong auth = no" to my smb.conf but it don't work for my problem :/..........Has anyone a tip for me? thanks! -- View this message in context: http://samba.2283325.n4.nabble.com/LDAP-authentication-not-working-tp4721248.html Sent from the Samba - General mailing list archive at Nabble.com.
On Mon, 2017-07-10 at 23:18 -0700, Bartra1212 via samba wrote:> I just tried this ldapsearch command: > ldapsearch -H ldap://localhost -x > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=com> (default) with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 1 Operations error > text: 00002020: Operation unavailable without authenticationUnlike common configurations with OpenLDAP, Samba and Windows AD require authentication before you can access the domain tree.> # numResponses: 1 > > > seems like a authentication problem.As you can see I added"ldap server > require strong auth = no" to my smb.conf but it don't work for my problem > :/..........Has anyone a tip for me?The setting you set is about allowing simple binds unprotected by SSL, allowing sessions to be trivially taken over by anyone on the network. (that is why the default is yes). It isn't about allowing anonymous access, which is enabled with the same in-directory setting as windows AD, but which really shouldn't be set. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Mon, 10 Jul 2017 23:18:28 -0700 (PDT) Bartra1212 via samba <samba at lists.samba.org> wrote:> Hi everyone! > > I just upgraded my Samba PDC to a active directory (I followed the > migration instruction of samba-wiki). Without any error message or > something. *happy* > > My PDC was running with a bind9 and slapd->openLDAP. I just turned > both services off and want to use the samba-internal ones. > > My problem now is that I can't login with my domain members (just > tried it on my server -> debian stretch).here my details: > > *smb.com* > [global] > workgroup = EXAMPLE > realm = example.com > netbios name = PDC > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 8.8.8.8 > interfaces = br0 > ldap server require strong auth = no > [netlogon] > path = /var/lib/samba/sysvol/example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > *krb5.conf* > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > */etc/hosts* > 127.0.0.1 localhost > 192.168.0.2 hk-server-01.example.com hk-server-01 > > */etc/hostname* > hk-server-01 > > */etc/resolv.conf* > search example.com > nameserver 192.168.0.1 > > */etc/named.conf* > include "/etc/bind/named.conf.options"; > include "/etc/bind/named.conf.local"; > include "/etc/bind/named.conf.default-zones"; > > */etc/named.conf.local* > include "/var/lib/samba/private/named.conf"; > > */etc/named.conf.options* > options { > directory "/var/cache/bind"; > version "0.0.7"; > notify no; > empty-zones-enable no; > allow-query { 127.0.0.1; 192.168.0.0/24; }; > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > forwarders { 8.8.8.8; }; > allow-transfer { none; }; > dnssec-validation no; > dnssec-enable no; > > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.2; 127.0.0.1; }; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > */etc/named.conf.default-zones* > zone "." { > type hint; > file "/etc/bind/db.root"; > }; > > zone "localhost" { > type master; > file "/etc/bind/db.local"; > }; > > zone "127.in-addr.arpa" { > type master; > file "/etc/bind/db.127"; > }; > > zone "0.in-addr.arpa" { > type master; > file "/etc/bind/db.0"; > }; > > zone "255.in-addr.arpa" { > type master; > file "/etc/bind/db.255"; > }; > > */etc/nsswitch.conf* > passwd: compat ldap > group: compat ldap > shadow: compat ldap > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap > networks: files ldap > > protocols: db files ldap > services: db files ldap > ethers: db files ldap > rpc: db files ldap > > netgroup: nis ldap > aliases: ldap > > */etc/nslcd.conf* > uid nslcd > gid nslcd > uri ldap://127.0.0.1/ > base dc=example,dc=com > pagesize 1000 > referrals off > ldap_version 3 > tls_cacertfile /etc/ssl/certs/ca-certificates.crt > > > > I tried > > The samba service is running but with a warning: > ● samba-ad-dc.service - Samba AD Daemon > Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; > vendor preset: enabled) > Active: active (running) since Mon 2017-07-10 12:12:06 CEST; 3h > 11min ago Docs: man:samba(8) > man:samba(7) > man:smb.conf(5) > Main PID: 1247 (samba) > Status: "smbd: ready to serve connections..." > Memory: 202.4M > CPU: 46.634s > CGroup: /system.slice/samba-ad-dc.service > ├─1247 /usr/sbin/samba > ├─1299 /usr/sbin/samba > ├─1300 /usr/sbin/samba > ├─1301 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ├─1302 /usr/sbin/samba > ├─1303 /usr/sbin/samba > ├─1304 /usr/sbin/samba > ├─1305 /usr/sbin/samba > ├─1306 /usr/sbin/samba > ├─1307 /usr/sbin/samba > ├─1308 /usr/sbin/samba > ├─1309 /usr/sbin/samba > ├─1310 /usr/sbin/samba > ├─1311 /usr/sbin/samba > ├─1312 /usr/sbin/samba > ├─1313 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > ├─1345 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ├─1346 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ├─1353 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > └─1373 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > > I just tried this ldapsearch command: > ldapsearch -H ldap://localhost -x > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=com> (default) with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 1 Operations error > text: 00002020: Operation unavailable without authentication > > # numResponses: 1 > > > seems like a authentication problem.As you can see I added"ldap server > require strong auth = no" to my smb.conf but it don't work for my > problem :/..........Has anyone a tip for me? > > thanks! >Is there a reason why you need to use nslcd instead of winbind ? Rowland