Discussion:
[Samba] NT_STATUS_LOGON_FAILURE when trying to bind LDAP
(too old to reply)
contact--- via samba
2017-03-09 11:20:02 UTC
Permalink
Hello,



I have a samba 4 active directory, i have some application who use the
Administrator user to bind the LDAP.

No problems with the Administrator user but i'd like to create an application
specific user to bind the LDAP.



Unfortunately when i try to do a simple ldapsearch with the new user (the user
is in domain admins/administrators & schema admins) it throw me a
NT_STATUS_LOGON_FAILURE.



[***@dc tls]# id ssp
uid=3000026(DOMAIN\ssp) gid=513(DOMAIN\domain users) groups=513(DOMAIN\domain
users),3000026(DOMAIN\ssp),512(DOMAIN\domain admins),3000003(DOMAIN\schema
admins),3000001(DOMAIN\denied rodc password replication
group),3000004(BUILTIN\users),544(BUILTIN\administrators)
[***@dc tls]# ldapsearch -xLLL -H ldaps://localhost:636 -D
"CN=ssp,CN=Users,DC=domain,DC=be" -W -b "DC=domain,DC=be"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE



but i can connect in the domain



[***@dc tls]# smbclient //dc/common -U 'DOMAIN\ssp'
Enter DOMAIN\ssp's password:
Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.5-SerNet-RedHat-13.el7]
smb: \>



So my first question, is it possible to create a user who have the full rights
in the LDAP ?

If yes, second question, how to create it ?



Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-09 12:10:02 UTC
Permalink
On Thu, 09 Mar 2017 10:51:07 +0000
Post by contact--- via samba
Hello,
I have a samba 4 active directory, i have some application who use the
Administrator user to bind the LDAP.
No problems with the Administrator user but i'd like to create an
application specific user to bind the LDAP.
So my first question, is it possible to create a user who have the
full rights in the LDAP ?
No, your first question should be 'Am I doing this correctly ?'

and the answer to that is, No ;-)

See here:

https://lists.samba.org/archive/samba/2017-February/206334.html

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
2017-03-09 14:50:02 UTC
Permalink
On Thu, 09 Mar 2017 14:18:47 +0000
Hmmm thanks, i did the modifications, but i have this error
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Do i need to restart samba to apply the "ldap server require strong
auth" ?
If yes, it's impossible right now, i have +600 users in production
i'll restart this night. ^^'
Try 'smbcontrol all reload-config', if this doesn't work, then yes, you
will have to restart Samba.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...