Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 26/04/2011 01:20, Andrew Dumaresq wrote: On 4/25/2011 10:14 AM, Matthieu Patou wrote: Hello Andrew, What -Z is supposed to do ? -Z and ldaps are pretty much the same thing as I recall... basically putting ldapsearch in SSL or TLS... Have a look at ldbsearch (our ldap like search tool). Can you try ldbsearch -H ldaps://name_of_your_dc -k 1 It should work to do GSSAPI (kerberos) and ldaps, at least it works for me ! Can you also try ldbsearch -H ldaps://name_of_your_dc -U user_in_the_ad ldbsearch does work, but I am trying to use ldap pam, which basically does ldapsearch so this solution won't work for me. Then a trace between the client and the server is needed to understand why it's not working with ldapsearch when it's working with ldbsearch. Matthieu. -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
Hello Andrew, Update... I did get ldaps and -Z working, but I can't do it with SASL, I can't find docs that say, but is it possible that SASL (GSSAPI) and ldaps are not compatible? What -Z is supposed to do ? ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used snip So the question is are SASL and ldaps not compatible and if that is the case which is better? I like GSSAPI because I don't need to store passwords on the system, but I'm not clear on how encrypted the data being transmitted is. I did a packet capture and I do see some data that doesn't look like clear text, but that's all I know for sure :) Have a look at ldbsearch (our ldap like search tool). Can you try ldbsearch -H ldaps://name_of_your_dc -k 1 It should work to do GSSAPI (kerberos) and ldaps, at least it works for me ! Can you also try ldbsearch -H ldaps://name_of_your_dc -U user_in_the_ad -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 4/25/2011 10:14 AM, Matthieu Patou wrote: Hello Andrew, What -Z is supposed to do ? -Z and ldaps are pretty much the same thing as I recall... basically putting ldapsearch in SSL or TLS... Have a look at ldbsearch (our ldap like search tool). Can you try ldbsearch -H ldaps://name_of_your_dc -k 1 It should work to do GSSAPI (kerberos) and ldaps, at least it works for me ! Can you also try ldbsearch -H ldaps://name_of_your_dc -U user_in_the_ad ldbsearch does work, but I am trying to use ldap pam, which basically does ldapsearch so this solution won't work for me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 4/23/2011 2:34 PM, Andrew Dumaresq wrote: Hi, I've got ldapsearch mostly working: root@morannon:/usr/local/samba/private/tls# ldapsearch '(sAMAccountName=dumaresq)' SASL/GSSAPI authentication started SASL username: administrator@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # results in here... # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 I cannot get ldapsearch -Z or ldaps working: ldapsearch '(sAMAccountName=dumaresq)' -Z SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used Here is what I get in samba.log when I do did that command: [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2011/04/23 14:29:56, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I'm not sure where to go from here. I've tried several different options in /etc/ldap/ldap.conf and I always get that error, unless I comment out #TLS_REQCERT allow then I get: ldapsearch '(sAMAccountName=dumaresq)' -Z ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1 additional info: (unknown error code) Update... I did get ldaps and -Z working, but I can't do it with SASL, I can't find docs that say, but is it possible that SASL (GSSAPI) and ldaps are not compatible? ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used dumaresq@morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D 'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword '(sAMAccountName=dumaresq)' # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # (response in here) # numResponses: 2 # numEntries: 1 So the question is are SASL and ldaps not compatible and if that is the case which is better? I like GSSAPI because I don't need to store passwords on the system, but I'm not clear on how encrypted the data being transmitted is. I did a packet capture and I do see some data that doesn't look like clear text, but that's all I know for sure :) Comments, suggestions? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsearch with samba4
Hi, I've got ldapsearch mostly working: root@morannon:/usr/local/samba/private/tls# ldapsearch '(sAMAccountName=dumaresq)' SASL/GSSAPI authentication started SASL username: administrator@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # results in here... # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 I cannot get ldapsearch -Z or ldaps working: ldapsearch '(sAMAccountName=dumaresq)' -Z SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used Here is what I get in samba.log when I do did that command: [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2011/04/23 14:29:56, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I'm not sure where to go from here. I've tried several different options in /etc/ldap/ldap.conf and I always get that error, unless I comment out #TLS_REQCERT allow then I get: ldapsearch '(sAMAccountName=dumaresq)' -Z ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: (unknown error code) with: [2011/04/23 14:31:29, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:31:29, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:31:29, 1] ../source4/lib/tls/tls_tstream.c:542(tstream_tls_retry_read) TLS ../source4/lib/tls/tls_tstream.c:542 - A record packet with illegal version was received. [2011/04/23 14:31:29, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR' [2011/04/23 14:31:29, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR] in samba.log Neither of those are helpful, I've tried stracing, but I don't see an errors. I believe this is a cert issue, but I'm not sure exactly what the cert issue is. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
