samba - Oct 2020 - Mail samba

Hi I am trying to authenticate my mail server with samba ad.
The only problem is that I don?t get it working. 

root at dna:/data/CA/EasyRSA-v3.0.6# ldapsearch -x -h gaia.rompen.lokaal -D
'vmail' -W -b 'cn=users,dc=rompen,dc=lokaal'
Enter LDAP Password: 
ldap_bind: Strong(er) authentication required (8)
	additional info: BindSimple: Transport encryption required.

I can not read the ldap database. I think it is a certificate problem. I made my
own CA agent, and gave samba a server certificate for ldap. But how can I use
the public key to read the database?

Philip

On 10/10/2020 12:56, Philip Offermans via samba wrote:
> Hi I am trying to authenticate my mail server with samba ad.
> The only problem is that I don?t get it working.
>
> root at dna:/data/CA/EasyRSA-v3.0.6# ldapsearch -x -h gaia.rompen.lokaal -D
'vmail' -W -b 'cn=users,dc=rompen,dc=lokaal'
> Enter LDAP Password:
> ldap_bind: Strong(er) authentication required (8)
> 	additional info: BindSimple: Transport encryption required.
>
> I can not read the ldap database. I think it is a certificate problem. I
made my own CA agent, and gave samba a server certificate for ldap. But how can
I use the public key to read the database?
>
> Philip
Try it like this: ldapsearch -h gaia.rompen.lokaal -U 'vmail' -W -b 
'cn=users,dc=rompen,dc=lokaal'

'-D' expects a DN

Rowland

Am 10.10.20 um 13:56 schrieb Philip Offermans via samba:
> Hi I am trying to authenticate my mail server with samba ad.
> The only problem is that I don?t get it working.
> 
> root at dna:/data/CA/EasyRSA-v3.0.6# ldapsearch -x -h gaia.rompen.lokaal -D
'vmail' -W -b 'cn=users,dc=rompen,dc=lokaal'
> Enter LDAP Password:
> ldap_bind: Strong(er) authentication required (8)
> 	additional info: BindSimple: Transport encryption required.
If you want to use ldaps , then please check

ldapsearch -x -H ldaps://gaia.rompen.lokaal -D 'vmail' -W -b 
'cn=users,dc=rompen,dc=lokaal'

or TLS

ldapsearch -x -ZZ -h gaia.rompen.lokaal -D 'vmail' -W -b 
'cn=users,dc=rompen,dc=lokaal'

> 
> I can not read the ldap database. I think it is a certificate problem. I
made my own CA agent, and gave samba a server certificate for ldap. But how can
I use the public key to read the database?
> 
> Philip
> 
best regards
Michael

On 10/10/2020 13:15, Philip Offermans wrote:
> root at dna:/data/wordpress/database# ldapsearch -h gaia.rompen.lokaal -U 
> 'vmail' -W -b 'cn=users,dc=rompen,dc=lokaal'
> Enter LDAP Password:
> SASL/NTLM authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: 8009030C: LdapErr: DSID-0C0904DC, comment: 
> AcceptSecurityContext error, data 52e, v1db1
>
Strange, I run: ldapsearch -h dc4.samdom.example.com -U 'rowland' -W -b 
'cn=users,dc=samdom,dc=example,dc=com'

At the top of the successful result is this:

Enter LDAP Password:
SASL/GSS-SPNEGO authentication started
SASL username: rowland at SAMDOM.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF

Do you have libpam-krb5 installed ?

Rowland

On 10/10/2020 13:32, Philip Offermans wrote:
> root at dna:/data/wordpress/database/html# dpkg -s libpam-krb5
> Package: libpam-krb5
> Status: install ok installed
> Priority: optional
> Section: admin
> Installed-Size: 150
> Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com 
> <mailto:ubuntu-devel-discuss at lists.ubuntu.com>>
> Architecture: arm64
> Multi-Arch: same
> Version: 4.8-1ubuntu0.1
> Depends: krb5-config, libpam-runtime, libpam0g (>= 0.99.7.1), libc6 
> (>= 2.26), libkrb5-3 (>= 1.10.2+dfsg)
> Conflicts: libpam-heimdal
> Description: PAM module for MIT Kerberos
> ?A Kerberos PAM module build against the MIT Kerberos libraries. It
> ?supports authenticating against a Kerberos KDC, obtaining tickets and
> ?populating an initial ticket cache, authorizing users via a ~/.k5login
> ?file, and changing Kerberos passwords.
> Homepage: https://www.eyrie.org/~eagle/software/pam-krb5/
> Original-Maintainer: Russ Allbery <rra at debian.org <mailto:rra at
debian.org>>
>
> root at dna:/data/wordpress/database/html# ldapsearch -h 
> gaia.rompen.lokaal -U 'philip' -W -b
'cn=users,dc=rompen,dc=lokaal'
> Enter LDAP Password:
> SASL/NTLM authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: 8009030C: LdapErr: DSID-0C0904DC, comment: 
> AcceptSecurityContext error, data 52e, v1db1
>
> Still the same problem. The packages are installed. Do I need to 
> restart something. Because I just installed the packages. They 
> wheren't installed beforehand.
>
> Philip
>
Try running 'pam-auth-update' and see if kerberos auth is set.

Rowland

On 10/10/2020 13:40, Philip Offermans wrote:
> I did Kerberos auth is set.
This is strange, I run your command against my DC's (adjusted for my 
domain? etc) and it works, so there must be a difference between your 
domain and mine, but what ?

As you are using 'dpkg' this very probably means Debian or something 
based on it, so what is your OS ?

What is your DC, Samba or Windows ?

If Samba, can you post your smb.conf

Where are you running the ldapsearch command, on a DC or a Unix domain 
member ?

If it is a Unix domain member, what OS is this running and what is in 
the smb.conf ?

Rowland

On 10/10/2020 14:00, Philip Offermans wrote:
> Ok I am running the command from an domain member.
>
> ldapsrv failed to bind to 0.0.0.0:389 - 
> NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
>
>
> I am fairly new. I don?t fully understand this.
>
It looks like something else is running that is using port 389, do you 
have openldap installed as well, or did Samba not shut down correctly ?

Can you post what I asked for in my last post ?

Rowland

Almost forgot
Domain controller(raspbian lite):
NAME="Raspbian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs?

Domain member(ubuntu-server):
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
> On 10 Oct 2020, at 15:09, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 10/10/2020 14:00, Philip Offermans wrote:
>> Ok I am running the command from an domain member.
>> 
> 
>> ldapsrv failed to bind to 0.0.0.0:389 -
NT_STATUS_ADDRESS_ALREADY_ASSOCIATED
>> 
>> 
>> I am fairly new. I don?t fully understand this.
>> 
> It looks like something else is running that is using port 389, do you have
openldap installed as well, or did Samba not shut down correctly ?
> 
> Can you post what I asked for in my last post ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 10/10/2020 14:20, Philip Offermans wrote:
> I have 2 samba servers. A domain controller, and a domain member.
>
> Domain controller(GAIA):
>
> /etc/hosts
> 127.0.0.1 ? ? ? localhost
> 192.168.88.2? ? gaia.rompen.lokaal gaia
> ::1 ? ? ? ? ? ? localhost ip6-localhost ip6-loopback
> ff02::1 ? ? ? ? ip6-allnodes
> ff02::2 ? ? ? ? ip6-allrouters
>
> 127.0.1.1 ? ? ? gaia
I would remove the '127.0.1.1' from /etc/hosts, ensure whatever requires
it isn't using port 53 on 127.0.0.1 and that 192.168.88.2 is a fixed 
ipaddress for gaia
>
> Firewall is turned of atm. And yes something is running on that port. 
> I am going to look for what it is. I also have a ntp-server running. 
> And ntp and dns are synced between all device on the network via the 
> DHCP-network settings. So the domain member has gaia as dns and ntp.
You need to find whatever is running on port 389, only Samba should be 
using this port.
>
> Domain Member(DNA):
> /etc/samba/smb.conf
> [global]
> ? netbios name = DNA
> ? workgroup = ROMPEN
> ? security = ADS
> ? realm = ROMPEN.LOKAAL
> ? encrypt passwords = yes
>
> ? acl allow execute always = yes
>
> ? idmap config *:backend = tdb
> ? idmap config *:range = 3000-7999
> ? idmap config ROMPEN:backend = rid
> ? #idmap config ROMPEN:schema_mode = rfc2307
> ? idmap config ROMPEN:range = 10000-40000
>
> ? winbind refresh tickets = Yes
> ? vfs objects = acl_xattr
> ? map acl inherit = Yes
> ? store dos attributes = Yes
>
> ? dedicated keytab file = /etc/krb5.keytab
> ? kerberos method = secrets and keytab
>
> ? winbind use default domain = yes
>
> ? winbind enum users = yes
> ? winbind enum groups = yes
>
> ? username map = /etc/samba/user.map
> ? dedicated keytab file = /etc/krb5.keytab
> ? kerberos method = secrets and keytab
>
> ? vfs objects = acl_xattr
> ? map acl inherit = Yes
> ? store dos attributes = Yes
>
> ? username map = /etc/samba/user.map
>
> ? admin users = administrator
>
You appear to have multiple duplicate lines (unless it is a cut&paste
error)
> [share]
> ?? ? ? path = /data/share
> ?? ? ? read only = no
>
> [users]
> ?? path = /data/home
> ?? read only = no
>
> [philip]
> ?? ? ? path = /data/philip
> ?? ? ? read only = no
>
> /etc/hosts
> 127.0.0.1 localhost
> 192.168.88.3 dna.rompen.lokaal dna
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
>
> (The ip6 addresses are from docker)
'docker' ???
> Firewall is turned off.
>
> The ldapsearch was from DNA(domain member)
>
> Maybe it is easier to solve this problem via phone.
Sorry, only help via this mailing list :-)

Rowland

On 10/10/2020 14:40, Philip Offermans wrote:
>
>>>
>>>
>>>
>>> (The ip6 addresses are from docker)
>> 'docker' ???
> https://www.docker.com?would recommend to check it out some time
No, I should have expanded on that, what I meant was, is one or other of 
the DC or Unix domain member running in a docker container
?
>
>
>> On 10 Oct 2020, at 14:25, Rowland penny via samba 
>> <samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
>>
>> Strange, I run: ldapsearch -h dc4.samdom.example.com 
>> <http://dc4.samdom.example.com/>?-U 'rowland' -W -b 
>> 'cn=users,dc=samdom,dc=example,dc=com'
>>
>> At the top of the successful result is this:
>>
>> Enter LDAP Password:
>> SASL/GSS-SPNEGO authentication started
>> SASL username: rowland at SAMDOM.EXAMPLE.COM 
>> <mailto:rowland at SAMDOM.EXAMPLE.COM>
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>>
> What is strange is that I get this
> root at dna:/home/philip# ldapsearch -h gaia.rompen.lokaal -U
'philip' -W
> -b 'cn=users,dc=rompen,dc=lokaal'
> Enter LDAP Password:
> SASL/NTLM authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: 8009030C: LdapErr: DSID-0C0904DC, comment: 
> AcceptSecurityContext error, data 52e, v1db1
>
> I don?t fully understand. But what do you have to fill in by ldap 
> password? The user password or is this an global password? What does 
> sass/N
>
I don't understand it either, you seem to be running the same as I am, 
but you are using NTLM in the search (SASL/NTLM authentication started) 
and I am using kerberos:

SASL/GSS-SPNEGO authentication started
SASL username: rowland at SAMDOM.EXAMPLE.COM

I am using Devuan 3 (Debian 10 minus systemd) on the DC and Unix domain 
member and it works.

However, I have just discovered it doesn't work from Unix domain member 
running on Raspbian:

pi at raspberrypi:~ $ ldapsearch -h dc4.samdom.example.com -U 'rowland'
-W
-b 'cn=Users,dc=samdom,dc=example,dc=com'
Enter LDAP Password:
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
 ??? additional info: SASL(-1): generic failure: GSSAPI Error:? An 
unsupported mechanism was requested (unknown mech-code 0 for mech unknown)

Same command against the same DC and it doesn't work :-\

It is still trying to use Kerberos though.

I will get back to you when I find out why it isn't working.

Rowland

On 10/10/2020 15:08, Rowland penny via samba wrote:
> On 10/10/2020 14:40, Philip Offermans wrote:
>>
>>>>
>>>>
>>>>
>>>> (The ip6 addresses are from docker)
>>> 'docker' ???
>> https://www.docker.com?would recommend to check it out some time
> No, I should have expanded on that, what I meant was, is one or other 
> of the DC or Unix domain member running in a docker container ?
>>
>>
>>> On 10 Oct 2020, at 14:25, Rowland penny via samba 
>>> <samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
>>>
>>> Strange, I run: ldapsearch -h dc4.samdom.example.com 
>>> <http://dc4.samdom.example.com/>?-U 'rowland' -W -b 
>>> 'cn=users,dc=samdom,dc=example,dc=com'
>>>
>>> At the top of the successful result is this:
>>>
>>> Enter LDAP Password:
>>> SASL/GSS-SPNEGO authentication started
>>> SASL username: rowland at SAMDOM.EXAMPLE.COM 
>>> <mailto:rowland at SAMDOM.EXAMPLE.COM>
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> # extended LDIF
>>>
>> What is strange is that I get this
>> root at dna:/home/philip# ldapsearch -h gaia.rompen.lokaal -U
'philip'
>> -W -b 'cn=users,dc=rompen,dc=lokaal'
>> Enter LDAP Password:
>> SASL/NTLM authentication started
>> Please enter your password:
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>> additional info: 8009030C: LdapErr: DSID-0C0904DC, comment: 
>> AcceptSecurityContext error, data 52e, v1db1
>>
>> I don?t fully understand. But what do you have to fill in by ldap 
>> password? The user password or is this an global password? What does 
>> sass/N
>>
> I don't understand it either, you seem to be running the same as I am, 
> but you are using NTLM in the search (SASL/NTLM authentication 
> started) and I am using kerberos:
>
> SASL/GSS-SPNEGO authentication started
> SASL username: rowland at SAMDOM.EXAMPLE.COM
>
> I am using Devuan 3 (Debian 10 minus systemd) on the DC and Unix 
> domain member and it works.
>
> However, I have just discovered it doesn't work from Unix domain 
> member running on Raspbian:
>
> pi at raspberrypi:~ $ ldapsearch -h dc4.samdom.example.com -U
'rowland'
> -W -b 'cn=Users,dc=samdom,dc=example,dc=com'
> Enter LDAP Password:
> SASL/GSS-SPNEGO authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> ??? additional info: SASL(-1): generic failure: GSSAPI Error:? An 
> unsupported mechanism was requested (unknown mech-code 0 for mech 
> unknown)
>
> Same command against the same DC and it doesn't work :-\
>
> It is still trying to use Kerberos though.
>
> I will get back to you when I find out why it isn't working.
>
> Rowland
>
>
>
OK, found out why it wasn't working on the rpi, I was logged in as
'pi',
when I logged in as 'rowland', it works, fairly obvious if you stop and 
think about it :-D

Try the search with your username & password, not 'vmail'

Rowland