lists.arthurdejong.org
RSS feed

Re: Issue with nslcd and Samba 4

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Issue with nslcd and Samba 4



On Sat, 2016-09-17 at 16:48 +0000, jul.gil@gmail.com wrote:
> I am trying to configure authentification with Samba 4 as AD, but it
> does not work.
> - I use the last packages of samba, nslcd, libpam-ldapd from Debian
> strech
> - I follow the samba documentation https://wiki.samba.org/index.php/N
> slcd#Method_2:_Connecting_to_AD_via_Kerberos
> - getent passwd works well, but the ssh / login failed
> - using nslcd -d I have the following output :
> 
> nslcd: [b0dc51] DEBUG: connection from pid=28723 uid=0 gid=0
> nslcd: [b0dc51] <authc="julien"> DEBUG: nslcd_pam_authc("julien","sshd","***")
[...]
> nslcd: [b0dc51] <authc="julien"> DEBUG: 
> myldap_search(base="CN=julien,CN=Users,DC=gilles,DC=lan", 
> filter="(objectClass=*)")
> nslcd: [b0dc51] <authc="julien"> DEBUG: ldap_initialize(ldap:///192.168.0.1)
[...]
> nslcd: [b0dc51] <authc="julien"> DEBUG: 
> ldap_sasl_bind("CN=julien,CN=Users,DC=gilles,DC=lan","***") 
> (uri="ldap:///192.168.0.1";) (ppolicy=yes)
> nslcd: [b0dc51] <authc="julien"> DEBUG: ldap_parse_result() result: 
> Strong(er) authentication required: BindSimple: Transport encryption required.
> nslcd: [b0dc51] <authc="julien"> DEBUG: failed to bind to LDAP server 
> ldap:///192.168.0.1: Strong(er) authentication required: BindSimple: 
> Transport encryption required.
> 
> It seems to me that the kerberos authentication is ok, as nslcd is
> able to find the account in the ldap, but the test of the password
> fails because of a protocol issue (Strong(er) authentication
> required: BindSimple: Transport encryption required).

The error message seems to suggest that communication between nslcd and
Samsba needs to be encrypted. This can be accomplished with either
using an ldaps://... URI or "ssl start_tls" is nslcd.conf. Can be
further tuned with SSL/TLS options as described in the nslcd.conf
manual page.

Note that nslcd does not perform Kerberos authentication, only LDAP
BIND (username/password) authentication and authorisation. If you want
Kerberos you probably need libpam-krb5, libpam-heimdal or libpam-sss.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/