Re: Issue with nslcd and Samba 4
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Issue with nslcd and Samba 4
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: "jul.gil [at] gmail.com" <jul.gil [at] gmail.com>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Issue with nslcd and Samba 4
- Date: Sun, 18 Sep 2016 17:49:02 +0200
On Sat, 2016-09-17 at 16:48 +0000, jul.gil@gmail.com wrote:
> I am trying to configure authentification with Samba 4 as AD, but it
> does not work.
> - I use the last packages of samba, nslcd, libpam-ldapd from Debian
> strech
> - I follow the samba documentation https://wiki.samba.org/index.php/N
> slcd#Method_2:_Connecting_to_AD_via_Kerberos
> - getent passwd works well, but the ssh / login failed
> - using nslcd -d I have the following output :
>
> nslcd: [b0dc51] DEBUG: connection from pid=28723 uid=0 gid=0
> nslcd: [b0dc51] <authc="julien"> DEBUG: nslcd_pam_authc("julien","sshd","***")
[...]
> nslcd: [b0dc51] <authc="julien"> DEBUG:
> myldap_search(base="CN=julien,CN=Users,DC=gilles,DC=lan",
> filter="(objectClass=*)")
> nslcd: [b0dc51] <authc="julien"> DEBUG: ldap_initialize(ldap:///192.168.0.1)
[...]
> nslcd: [b0dc51] <authc="julien"> DEBUG:
> ldap_sasl_bind("CN=julien,CN=Users,DC=gilles,DC=lan","***")
> (uri="ldap:///192.168.0.1") (ppolicy=yes)
> nslcd: [b0dc51] <authc="julien"> DEBUG: ldap_parse_result() result:
> Strong(er) authentication required: BindSimple: Transport encryption required.
> nslcd: [b0dc51] <authc="julien"> DEBUG: failed to bind to LDAP server
> ldap:///192.168.0.1: Strong(er) authentication required: BindSimple:
> Transport encryption required.
>
> It seems to me that the kerberos authentication is ok, as nslcd is
> able to find the account in the ldap, but the test of the password
> fails because of a protocol issue (Strong(er) authentication
> required: BindSimple: Transport encryption required).
The error message seems to suggest that communication between nslcd and
Samsba needs to be encrypted. This can be accomplished with either
using an ldaps://... URI or "ssl start_tls" is nslcd.conf. Can be
further tuned with SSL/TLS options as described in the nslcd.conf
manual page.
Note that nslcd does not perform Kerberos authentication, only LDAP
BIND (username/password) authentication and authorisation. If you want
Kerberos you probably need libpam-krb5, libpam-heimdal or libpam-sss.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/