samba - Sep 2018 - Authenticating against Samba 4 AD LDAP service

Hello,

One of Samba 3 -> Samba 4 migration task I am solving is changing 
authentication against new Samba 4 AD domain.

Existing services use LDAP directory of Samba 3 to authenticate. The 
simplest way to go would be just to replace LDAP credentials; however, I 
don't quite understand which LDAP credentials to use/how to create them 
for Samba 4 AD.

Sample command against Samba 4 LDAP service:

# ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H 
ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
returns
ldap_bind: Strong(er) authentication required (8)
	additional info: BindSimple: Transport encryption required.

I would appreciate a link to possible source of wisdom, or explanations 
in here.

Note: I can do searches using Kerberos authentication on Samba 4 
installation, like this:

# kinit administrator
# ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'

but Kerberos is not an option for some existing services.

Sincerely,
Konstantin

On Wed, 05 Sep 2018 15:46:04 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> One of Samba 3 -> Samba 4 migration task I am solving is changing 
> authentication against new Samba 4 AD domain.
> 
> Existing services use LDAP directory of Samba 3 to authenticate. The 
> simplest way to go would be just to replace LDAP credentials;
> however, I don't quite understand which LDAP credentials to use/how
> to create them for Samba 4 AD.
> 
> Sample command against Samba 4 LDAP service:
> 
> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password] -H 
> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
> returns
> ldap_bind: Strong(er) authentication required (8)
> 	additional info: BindSimple: Transport encryption required.
> 
> I would appreciate a link to possible source of wisdom, or
> explanations in here.
> 
> Note: I can do searches using Kerberos authentication on Samba 4 
> installation, like this:
> 
> # kinit administrator
> # ldbsearch -H ldap://dc.ad-lan.com -k yes '(objectclass=person)'
> 
> but Kerberos is not an option for some existing services.
> 
> Sincerely,
> Konstantin
> 
Try this:
ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
-b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"

NOTE, you can (and probably should) replace '10.100.0.4' with the
DC's
short hostname.

However, are you sure you cannot use kerberos ?
What are your existing services ?

Rowland

Also:

 -H ldap://10.100.0.4

should probably be ldaps://URI

You can potentially this in smb.conf, but that is definitely not
recommended.

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC


Kris Lou
klou at themusiclink.net

On Wed, Sep 5, 2018 at 2:10 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 05 Sep 2018 15:46:04 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > One of Samba 3 -> Samba 4 migration task I am solving is changing
> > authentication against new Samba 4 AD domain.
> >
> > Existing services use LDAP directory of Samba 3 to authenticate. The
> > simplest way to go would be just to replace LDAP credentials;
> > however, I don't quite understand which LDAP credentials to
use/how
> > to create them for Samba 4 AD.
> >
> > Sample command against Samba 4 LDAP service:
> >
> > # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password]
-H
> > ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
> > returns
> > ldap_bind: Strong(er) authentication required (8)
> >       additional info: BindSimple: Transport encryption required.
> >
> > I would appreciate a link to possible source of wisdom, or
> > explanations in here.
> >
> > Note: I can do searches using Kerberos authentication on Samba 4
> > installation, like this:
> >
> > # kinit administrator
> > # ldbsearch -H ldap://dc.ad-lan.com -k yes
'(objectclass=person)'
> >
> > but Kerberos is not an option for some existing services.
> >
> > Sincerely,
> > Konstantin
> >
>
> Try this:
> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
>
> NOTE, you can (and probably should) replace '10.100.0.4' with the
DC's
> short hostname.
>
> However, are you sure you cannot use kerberos ?
> What are your existing services ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland Penny via samba писал 2018-09-05 16:10:
> On Wed, 05 Sep 2018 15:46:04 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>> 
>> One of Samba 3 -> Samba 4 migration task I am solving is changing
>> authentication against new Samba 4 AD domain.
>> 
>> Existing services use LDAP directory of Samba 3 to authenticate. The
>> simplest way to go would be just to replace LDAP credentials;
>> however, I don't quite understand which LDAP credentials to use/how
>> to create them for Samba 4 AD.
>> 
>> Sample command against Samba 4 LDAP service:
>> 
>> # ldapsearch -D "cn=Manager,dc=company,dc=lan" -w [password]
-H
>> ldap://10.100.0.4 -b "dc=ad-lan,dc=com" -s sub
"(objectclass=*)"
>> returns
>> ldap_bind: Strong(er) authentication required (8)
>> 	additional info: BindSimple: Transport encryption required.
>> 
>> I would appreciate a link to possible source of wisdom, or
>> explanations in here.
>> 
>> Note: I can do searches using Kerberos authentication on Samba 4
>> installation, like this:
>> 
>> # kinit administrator
>> # ldbsearch -H ldap://dc.ad-lan.com -k yes
'(objectclass=person)'
>> 
>> but Kerberos is not an option for some existing services.
>> 
>> Sincerely,
>> Konstantin
>> 
> 
> Try this:
> ldbsearch -U Administrator --password=[password] -H ldap://10.100.0.4
> -b "dc=ad-lan,dc=com" -s sub "(objectclass=*)"
> 
> NOTE, you can (and probably should) replace '10.100.0.4' with the
DC's
> short hostname.
That works, thank you, with actual domain name in LDAP URL.
> However, are you sure you cannot use kerberos ?
> What are your existing services ?
to name most important ones:

- Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
- Shell (SSH) server (same, using nslcd)
- Apache 2.* LDAP authentication module
- Atlassian Confluence
- GitLab

Sincerely,
Konstantin