2011-12-28 20:27 keltezéssel, steve írta: > Hi > > I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search > the database and view it with phpldapadmin. I can't login from a linux > console: > > ldapsearch -LLL "(cn=steve4)" > > SASL/GSSAPI authentication started > SASL username: ste...@hh3.site > SASL SSF: 56 > SASL data security layer installed. > dn: CN=steve4,CN=Users,DC=hh3,DC=site > cn: steve4 > instanceType: 4 > whenCreated: 20111228090516.0Z > uSNCreated: 3796 > name: steve4 > objectGUID:: SmOVmHoGLEKtIAG387qdKg== > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAAb3HIjuGOMdR6frbzWQQAAA== > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: steve4 > sAMAccountType: 805306368 > userPrincipalName: ste...@hh3.site > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site > pwdLastSet: 129695367160000000 > userAccountControl: 512 > gidNumber: 100 > unixHomeDirectory: /home/CACTUS/steve4 > loginShell: /bin/bash > objectClass: top > objectClass: person > objectClass: posixAccount > objectClass: shadowAccount > objectClass: organizationalPerson > objectClass: user > uidNumber: 3000019 > uid: steve4 > whenChanged: 20111228160534.0Z > uSNChanged: 3815 > distinguishedName: CN=steve4,CN=Users,DC=hh3,DC=site > > # refldap://hh3.site/CN=Configuration,DC=hh3,DC=site > > # refldap://hh3.site/DC=DomainDnsZones,DC=hh3,DC=site > > # refldap://hh3.site/DC=ForestDnsZones,DC=hh3,DC=site > > > But when I try to login from an openSUSE box: > > su steve4 > su: user steve4 does not exist > > and the logs give: > Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls > failed:stat=-1 > Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls > failed:stat=-1 > Dec 28 20:20:04 hh3 worker_nscd: nss_ldap: could not search LDAP > server - Server is unavailable > > I have tried with and without tls using the ca.pem and cert.pem > provisioned in /usr/local/samba/private/tls (it seems that the > certificates CN does not match the FQDN of the server). > > Samba gives me: > ldb_wrap open of secrets.ldb > Terminating connection - 'ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > single_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] > > etc/nsswitch.conf > > passwd: compat > group: files ldap > hosts: files mdns4_minimal [NOTFOUND=return] dns > passwd_compat: ldap > > Anyone been this way before? > Thanks Steve. You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=....) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x)
Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba