Bug 252385
| Summary: | net/samba413: ldapsearch Invalid credentials | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | rdunkle | ||||
| Component: | Individual Port(s) | Assignee: | FreeBSD Samba Team <samba> | ||||
| Status: | New --- | ||||||
| Severity: | Affects Only Me | CC: | 0mp, Marcel.Poetter, dgeo, masamory7, rene | ||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(timur) |
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
I now understand why Apache Studio does not login to ldaps:// There is a parameter in smb4.conf -- tls verify peer = It defaults to tls verify peer = as_strict_as_possible This will reject a wildcard certificate. For testing I changed to: tls verify peer = no_check Apache Studio will now connect with: dc1 port 636 ldaps:// simple authentication | administrator | password --- And Apache Directory Studio will connect with: dc1 port 389 use StartTLS simple authentication | administrator | password --------------------------- I think there is some other problem lurking with ldap. I notice this command fails: # samba-tool forest directory_service dsheuristics 0000002 -H ldaps://localhost --simple-bind-dn='administrator@smallcatbrain.com' Failed to connect to ldap URL 'ldaps://localhost' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER Failed to connect to 'ldaps://localhost' with backend 'ldaps': LDAP client internal error: NT_STATUS_INVALID_PARAMETER ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python3.7/site-packages/samba/netcmd/forest.py", line 108, in run credentials=creds, lp=lp) File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__ options=options) File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__ self.connect(url, flags, options) File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect options=options) I think this is another problem with ldap. Unable to join a domain.
root@dc2:~ # samba-tool domain join smallcatbrain DC -k yes -U"SMALLCATBRAIN.COM\administrator" --option=' dns forwarder=192.168.2.1' --option='idmap_ldb:use rfc2307=yes' --option="vfs objects=zfsacl dfs_samba4 acl_xattr"
INFO 2021-01-04 17:20:07,613 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #107: Finding a writeable DC for domain 'smallcatbrain'
INFO 2021-01-04 17:20:07,647 pid:1055 /usr/local/lib/python3.7/site-packages/samba/join.py #109: Found DC dc1.smallcatbrain.com
Failed to connect to ldap URL 'ldap://dc1.smallcatbrain.com' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc1.smallcatbrain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
ERROR(ldb): uncaught exception - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
File "/usr/local/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
return self.run(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line 668, in run
backend_store_size=backend_store_size)
File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 1539, in join_DC
backend_store_size=backend_store_size)
File "/usr/local/lib/python3.7/site-packages/samba/join.py", line 112, in __init__
credentials=ctx.creds, lp=ctx.lp)
File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 67, in __init__
options=options)
File "/usr/local/lib/python3.7/site-packages/samba/__init__.py", line 115, in __init__
self.connect(url, flags, options)
File "/usr/local/lib/python3.7/site-packages/samba/samdb.py", line 82, in connect
options=options)
Created attachment 222965 [details] patch for ldap client function is broken This seems to be a similar problem. https://www.spinics.net/lists/samba/msg167028.html From 4.13.0 to 4.13.7, important features are still broken. What is the maintainer doing? Importance: --- Affects Only Me This is not true, this affects everyone running two domain contollers (so like nearly everyone using Samba for Active Directory). 4.13 is not usable and broken. Hi, We found this bug after succesfully setting up a pair of DC's on 4.12 and unsuccessfully upgrading with 4.13.7 with this exact errors and symptoms… So it seems to affect more than one user ;) I'll try the patch later, for now we'll stick to 4.12 (note: we are using jails and didn't try without) Is this still a problem with net/samba416 or net/samba419 ? I switched to Debian for Samba with domain controllers. Samba standalone works fine in FreeBSD. Is there anyone to work with this again? Nope, 416 and 419 seem to work fine |
when I try to use ldapsearch it errors out with - Invalid credentials # ldapsearch -x -W -D 'cn=administrator,dc=smallcatbrain,dc=com' -b 'dc=smallcatbrain,dc=com' -Z -LLL Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ------- I am able to authenticate with kinit: # kinit administrator ------- I also tried to authenticate with Apache Directory Studio. Error while opening connection - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] java.lang.Exception: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]