Johannes Engel
2018-Jan-22 19:36 UTC
[Samba] RODC and LDAP via Simple Authentication fails
Dear all, setting up a DMZ environment I was thinking to use an RODC there for user authentication. One of the application in the DMZ needs to access the directory via LDAP. When I tried to connect to the RODC using LDAP with simple bind, I always received the following error ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 6fa, v1db1 even though the credentials used are correct and do work with the "normal" DCs. I have already added the corresponding user to the group "Allowed RODC Password Replication Group", but that did not change anything... Authentication through Kerberos seems to work, but is not an option for the application, unfortunately. Did I miss anything that prevents my scenario to work by design? Thanks a lot for your help! Best regards Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 512 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/7082f46e/signature.sig>
Andrew Bartlett
2018-Jan-22 19:45 UTC
[Samba] RODC and LDAP via Simple Authentication fails
On Mon, 2018-01-22 at 20:36 +0100, Johannes Engel via samba wrote:> Dear all, > > setting up a DMZ environment I was thinking to use an RODC there for > user authentication. One of the application in the DMZ needs to access > the directory via LDAP. > > When I tried to connect to the RODC using LDAP with simple bind, I > always received the following error > > ldap_bind: Invalid credentials (49) > additional info: 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 6fa, v1db1 > > even though the credentials used are correct and do work with the > "normal" DCs. > > I have already added the corresponding user to the group "Allowed RODC > Password Replication Group", but that did not change anything... > > Authentication through Kerberos seems to work, but is not an option for > the application, unfortunately. > > Did I miss anything that prevents my scenario to work by design? Thanks > a lot for your help!It should work with the current release, the simple bind should get converted into an NTLM login and passed along via winbind, so this is quite odd. Are you using Samba 4.7? (If you are not running 4.7, just take care to upgrade by doing a new join, not an in-place upgrade due to a linked attribute bug just reported and fixed). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Johannes Engel
2018-Jan-22 19:56 UTC
[Samba] RODC and LDAP via Simple Authentication fails
Hi Andrew, I am deeply impressed by your speed! :D The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12. Any suggestion how I can debug this w/o setting everything on level 10? ;) Best regards Johannes Am 22.01.2018 um 20:45 schrieb Andrew Bartlett:> On Mon, 2018-01-22 at 20:36 +0100, Johannes Engel via samba wrote: >> Dear all, >> >> setting up a DMZ environment I was thinking to use an RODC there for >> user authentication. One of the application in the DMZ needs to access >> the directory via LDAP. >> >> When I tried to connect to the RODC using LDAP with simple bind, I >> always received the following error >> >> ldap_bind: Invalid credentials (49) >> additional info: 80090308: LdapErr: DSID-0C0903A9, comment: >> AcceptSecurityContext error, data 6fa, v1db1 >> >> even though the credentials used are correct and do work with the >> "normal" DCs. >> >> I have already added the corresponding user to the group "Allowed RODC >> Password Replication Group", but that did not change anything... >> >> Authentication through Kerberos seems to work, but is not an option for >> the application, unfortunately. >> >> Did I miss anything that prevents my scenario to work by design? Thanks >> a lot for your help! > It should work with the current release, the simple bind should get > converted into an NTLM login and passed along via winbind, so this is > quite odd. Are you using Samba 4.7? > > (If you are not running 4.7, just take care to upgrade by doing a new > join, not an in-place upgrade due to a linked attribute bug just > reported and fixed). > > Thanks, > > Andrew Bartlett >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 512 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/96fbafd8/signature.sig>
On Mon, 22 Jan 2018 20:36:04 +0100 Johannes Engel via samba <samba at lists.samba.org> wrote:> Dear all, > > setting up a DMZ environment I was thinking to use an RODC there for > user authentication. One of the application in the DMZ needs to access > the directory via LDAP. > > When I tried to connect to the RODC using LDAP with simple bind, I > always received the following error > > ldap_bind: Invalid credentials (49) > additional info: 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 6fa, v1db1 > > even though the credentials used are correct and do work with the > "normal" DCs. > > I have already added the corresponding user to the group "Allowed RODC > Password Replication Group", but that did not change anything... > > Authentication through Kerberos seems to work, but is not an option > for the application, unfortunately. > > Did I miss anything that prevents my scenario to work by design? > Thanks a lot for your help! > > Best regards > Johannes > >I wouldn't do this, the DC (RODC or otherwise) would have to be a global catalogue. Try reading this: https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/ In short, you need to setup a domain in the DMZ and then setup a trust between this domain and your other domain. Rowland
Johannes Engel
2018-Jan-22 20:33 UTC
[Samba] RODC and LDAP via Simple Authentication fails
Hi Rowland, thanks a lot for the hint. I will read through this. Best regards Johannes Am 22.01.2018 um 21:22 schrieb Rowland Penny:> On Mon, 22 Jan 2018 20:36:04 +0100 > Johannes Engel via samba <samba at lists.samba.org> wrote: > >> Dear all, >> >> setting up a DMZ environment I was thinking to use an RODC there for >> user authentication. One of the application in the DMZ needs to access >> the directory via LDAP. >> >> When I tried to connect to the RODC using LDAP with simple bind, I >> always received the following error >> >> ldap_bind: Invalid credentials (49) >> additional info: 80090308: LdapErr: DSID-0C0903A9, comment: >> AcceptSecurityContext error, data 6fa, v1db1 >> >> even though the credentials used are correct and do work with the >> "normal" DCs. >> >> I have already added the corresponding user to the group "Allowed RODC >> Password Replication Group", but that did not change anything... >> >> Authentication through Kerberos seems to work, but is not an option >> for the application, unfortunately. >> >> Did I miss anything that prevents my scenario to work by design? >> Thanks a lot for your help! >> >> Best regards >> Johannes >> >> > I wouldn't do this, the DC (RODC or otherwise) would have to be a > global catalogue. Try reading this: > > https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/ > > In short, you need to setup a domain in the DMZ and then setup a trust > between this domain and your other domain. > > Rowland >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 512 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180122/db3580b8/signature.sig>
Hi Rowland, There is official documentation about creating multiple domains with trusts ? I can't find it Thanks ----- Mail original ----- De: "Rowland Penny via samba" <samba at lists.samba.org> À: samba at lists.samba.org Cc: "Johannes Engel" <jcnengel+samba at gmail.com> Envoyé: Lundi 22 Janvier 2018 21:22:14 Objet : Re: [Samba] RODC and LDAP via Simple Authentication fails On Mon, 22 Jan 2018 20:36:04 +0100 Johannes Engel via samba <samba at lists.samba.org> wrote:> Dear all, > > setting up a DMZ environment I was thinking to use an RODC there for > user authentication. One of the application in the DMZ needs to access > the directory via LDAP. > > When I tried to connect to the RODC using LDAP with simple bind, I > always received the following error > > ldap_bind: Invalid credentials (49) > additional info: 80090308: LdapErr: DSID-0C0903A9, comment: > AcceptSecurityContext error, data 6fa, v1db1 > > even though the credentials used are correct and do work with the > "normal" DCs. > > I have already added the corresponding user to the group "Allowed RODC > Password Replication Group", but that did not change anything... > > Authentication through Kerberos seems to work, but is not an option > for the application, unfortunately. > > Did I miss anything that prevents my scenario to work by design? > Thanks a lot for your help! > > Best regards > Johannes > >I wouldn't do this, the DC (RODC or otherwise) would have to be a global catalogue. Try reading this: https://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/ In short, you need to setup a domain in the DMZ and then setup a trust between this domain and your other domain. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- www.it-optics.com Gaëtan SLONGO | Head of Infrastructure Department Boulevard Initialis, 28 - 7000 Mons, BELGIUM Company : +32 (0)65 84 23 85 Direct : +32 (0)65 32 85 88 Fax : +32 (0)65 84 66 76 Skype ID : gslongo.pro GPG Key : gslongo-gpg_key.asc - Please consider your environmental responsibility before printing this e-mail -