1. Forum
  2. Usenet
  3. LINUX.SAMBA

  • [Samba] LDAP logins failing after installing Samba 4.4.5

    From Andrew Bartlett via samba@21:1/5 to Rowland Penny via samba on Tue Mar 7 22:30:01 2017
    On Tue, 2017-03-07 at 09:05 +0000, Rowland Penny via samba wrote:
    On Tue, 7 Mar 2017 01:50:31 +0100
    Bart Coninckx via samba <[email protected]> wrote:

    Hi all,

     
    I had an LDAP application (mailserver) running on Samba 4.1.3 which
    wrked flawlessly. Also using an LDAP browser with a simple bind
    worked OK.

    I than replaced the Samba installation with version 4.5 and the
    LDAP
    functionality broke. I first thought it had to do with a non-SSL or
    non -TLS and though I now get an error message when doing a simple
    bind without encryption, activating encryption does not work
    either.

     
    Is there a way to configure how Samba expects LDAP binds to happen?

    AD does not allow simple binds, It might help if you told us just
    what
    mailserver you are using.

    To be clear, AD does allow simple binds. We restrict them in Samba per
    the "ldap server require strong auth" parameter.

    Thanks,

    Andrew Bartlett

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?utf-8?Q?Bart_Coninckx?= via samba@21:1/5 to All on Tue Mar 7 23:10:01 2017
    AD does not allow simple binds, It might help if you told us just
    what
    mailserver you are using.

    To be clear, AD does allow simple binds.  We restrict them in Samba per
    the "ldap server require strong auth" parameter.

    Thanks,

    Andrew Bartlett
     
    Hi,

     
    This was exactly what the mailserver people suggested and it worked beautifully. 

    Since the connection is local, encryption, though better, can be done without. I was thinking that simple bind activation needed to be done with a GPO, but a parameter in smb.conf makes of course more sense.

     
    BC

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Rowland Penny via samba@21:1/5 to Andrew Bartlett on Wed Mar 8 09:50:03 2017
    On Wed, 08 Mar 2017 10:22:27 +1300
    Andrew Bartlett <[email protected]> wrote:


    To be clear, AD does allow simple binds. We restrict them in Samba
    per the "ldap server require strong auth" parameter.


    It all depends on your definition of 'simple', mine was without
    authenticated username and password.

    Rowland



    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew Bartlett via samba@21:1/5 to Rowland Penny via samba on Wed Mar 8 19:10:01 2017
    On Wed, 2017-03-08 at 08:41 +0000, Rowland Penny via samba wrote:
    On Wed, 08 Mar 2017 10:22:27 +1300
    Andrew Bartlett <[email protected]> wrote:


    To be clear, AD does allow simple binds.  We restrict them in Samba
    per the "ldap server require strong auth" parameter. 


    It all depends on your definition of 'simple', mine was without
    authenticated username and password.

    The words "simple bind" have a specific meaning in the spec:

    https://tools.ietf.org/html/rfc4513#section-5.1

    (What we don't implement is 5.1.2, that is treating a user DN but no
    password as special, we will just fail the login with
    invalidCredentials rather than unwillingToPerform).

    I hope this helps clarify the terms in use here,

    Andrew Bartlett

    --
    Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
    Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba


    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)