Discussion:
[Samba] Owncloud authentication error after upgrade
(too old to reply)
mj
2016-04-13 20:20:02 UTC
Permalink
client ldap sasl wrapping = plain
because we saw this thought this will help, but didn't. Has anyone a
solution?
Try:
ldap server require strong auth = no
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Ralph Boehme
2016-04-13 20:40:02 UTC
Permalink
Hello,
after we upgrade our DC today to Samba-Version
4.2.11-SerNet-Ubuntu-9.trusty. We get an authentication-error wenn
user_ldap Bind failed: 8: Strong(er) authentication required
-----------------------------
[global]
workgroup = XXXXXXX
realm = XXXXXXX.INTERN
netbios name = XXX-AD01
server role = active directory domain controller
dns forwarder = XXX.XXX.XXX.XXX
wins support = yes
printing = bsd
printcap name = /etc/printcap
client ldap sasl wrapping = plain
[netlogon]
path = /var/lib/samba/sysvol/XXXXXXX.intern/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------------------------
client ldap sasl wrapping = plain
because we saw this thought this will help, but didn't. Has anyone a
solution?
a simple bind over TLS would work. If your server doesn't have a
trusted cert, you may have to disable cert checking on the client.

Cheerio!
-slow
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Stefan Kania
2016-04-14 07:00:01 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Ralph Boehme
Hello,
after we upgrade our DC today to Samba-Version
4.2.11-SerNet-Ubuntu-9.trusty. We get an authentication-error
wenn Owncloud is trying to authenticat a user. The only
user_ldap Bind failed: 8: Strong(er) authentication required
This is the smb.conf: ----------------------------- [global]
workgroup = XXXXXXX realm = XXXXXXX.INTERN netbios name =
XXX-AD01 server role = active directory domain controller dns
forwarder = XXX.XXX.XXX.XXX wins support = yes printing = bsd
printcap name = /etc/printcap client ldap sasl wrapping = plain
[netlogon] path = /var/lib/samba/sysvol/XXXXXXX.intern/scripts
read only = No
[sysvol] path = /var/lib/samba/sysvol read only = No
-----------------------------
We added this line: client ldap sasl wrapping = plain because we
saw this thought this will help, but didn't. Has anyone a
solution?
a simple bind over TLS would work. If your server doesn't have a
trusted cert, you may have to disable cert checking on the client.
Cheerio! -slow
Hi Ralph,

we will try this.

Stefan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlcPPtgACgkQ2JOGcNAHDTblZwCgsNv4nk4P3RcDSMV50/MMEr8K
M9AAn2st93J2SHUGl7EyRBYDpH07fW3m
=5Ae4
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2016-04-13 20:40:03 UTC
Permalink
Post by mj
client ldap sasl wrapping = plain
because we saw this thought this will help, but didn't. Has anyone a
solution?
ldap server require strong auth = no
Can I suggest you do this only in the short term, I would also suggest
you read the latest release notes:

https://www.samba.org/samba/history/samba-4.4.2.html

Paying special attention to this part:

CVE-2016-2112:
...........
.........
The LDAP server doesn't have an option to enforce strong authentication
yet. The security patches will introduce a new option called
"ldap server require strong auth", possible values are "no",
"allow_sasl_over_tls" and "yes".

As the default behavior was as "no" before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Stefan Kania
2016-04-14 07:00:02 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
client ldap sasl wrapping = plain because we saw this thought
this will help, but didn't. Has anyone a solution?
Try: ldap server require strong auth = no
Thank's that works for us.

Stefan



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlcPPqAACgkQ2JOGcNAHDTbweQCggxphK7CKsoT5d/xzzxvXzXEP
Mw0AnjMGEKF+RT++zPKHn+6Uq+QplCOP
=6J+G
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...