On 4/23/2011 2:34 PM, Andrew Dumaresq wrote:
Hi,
I've got ldapsearch mostly working:
root@morannon:/usr/local/samba/private/tls# ldapsearch
'(sAMAccountName=dumaresq)'
SASL/GSSAPI authentication started
SASL username: administrator@XXX
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (sAMAccountName=dumaresq)
# requesting: ALL
#
results in here...
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
I cannot get ldapsearch -Z or ldaps working:
ldapsearch '(sAMAccountName=dumaresq)' -Z
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: SASL:[GSSAPI]: Sign or Seal are not allowed
if TLS is used
Here is what I get in samba.log when I do did that command:
[2011/04/23 14:29:56, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56, 3]
../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2011/04/23 14:29:56, 3]
../source4/smbd/service_stream.c:62(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2011/04/23 14:29:56, 3]
../source4/smbd/process_single.c:104(single_terminate)
single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
I'm not sure where to go from here. I've tried several different
options in /etc/ldap/ldap.conf and I always get that error, unless I
comment out #TLS_REQCERT allow
then I get:
ldapsearch '(sAMAccountName=dumaresq)' -Z
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1
additional info: (unknown error code)
Update...
I did get ldaps and -Z working, but I can't do it with SASL, I can't
find docs that say, but is it possible that SASL (GSSAPI) and ldaps are
not compatible?
ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if
TLS is used
dumaresq@morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D
'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword
'(sAMAccountName=dumaresq)'
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (sAMAccountName=dumaresq)
# requesting: ALL
#
(response in here)
# numResponses: 2
# numEntries: 1
So the question is are SASL and ldaps not compatible and if that is the
case which is better? I like GSSAPI because I don't need to store
passwords on the system, but I'm not clear on how encrypted the data
being transmitted is. I did a packet capture and I do see some data
that doesn't look like clear text, but that's all I know for sure :)
Comments, suggestions?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
