Discussion:
[Samba] How to use --simple-bind-dn in samba-tool
(too old to reply)
Olivier Nicole
2013-08-07 10:20:02 UTC
Permalink
Hi,

I understand that using options -H and --simple-bind-dn one could run
samba-tool remotely.

But how should I specify the DN to use for simple bind?

I tried many syntaxes:
cn=Administrator
cn=***@domain
domain
all with the Administrator password, but it always fail with:
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <Simple Bind Failed: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend 'ldap': (null)

Can I use the command ldapsearch (from openLdap distribution) to access
the LDAP directory maintained by Samba?

If yes, what is the syntax in term of binding?

Thakns in advance,

Olivier
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2013-08-07 23:50:02 UTC
Permalink
Post by Olivier Nicole
Hi,
I understand that using options -H and --simple-bind-dn one could run
samba-tool remotely.
But how should I specify the DN to use for simple bind?
cn=Administrator
domain
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <Simple Bind Failed: NT_STATUS_LOGON_FAILURE> <>
Failed to connect to 'ldap://fbsd35.cs.ait.ac.th/' with backend 'ldap': (null)
Can I use the command ldapsearch (from openLdap distribution) to access
the LDAP directory maintained by Samba?
If yes, what is the syntax in term of binding?
In general, you shouldn't need --simple-bind-dn, because Samba supports
much more secure ways to authenticated, such as NTLM and Kerberos. Just
specify -U administrator

For the record, for other non-AD servers that don't do SASL and so can't
use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
be the admin DN on an OpenLDAP server. (this applies more to the ldb*
commands that samba-tool, which probably shouldn't show this option
except it comes from common code).

I hope this helps,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2013-08-09 03:50:01 UTC
Permalink
Post by Olivier Nicole
Thank's Andrew,
Post by Andrew Bartlett
For the record, for other non-AD servers that don't do SASL and so can't
use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
be the admin DN on an OpenLDAP server.
samba-tool user setpassword tata --newpassword=Ghij-1919 -d 10 -H
ldap://fbsd35.cs.ait.ac.th/
--simple-bind-dn=cs=administrator,dc=cs,dc=ait,dc=ac,dc=th
But it is still giving me the same error, so I suspect the DN is not correct.
I could not find any documentation saying what the DN should be.
Perhaps I need to be clearer:

DO NOT USE --simple-bind-dn against an AD server.

USE -U administrator

Additionally, your DN above has a typo, cs=administrator rather than
cn=administrator.

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Olivier Nicole
2013-08-12 04:10:02 UTC
Permalink
Thank's Andrew,
Post by Andrew Bartlett
For the record, for other non-AD servers that don't do SASL and so can't
use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
be the admin DN on an OpenLDAP server.
I tried:

samba-tool user setpassword tata --newpassword=Ghij-1919 -d 10 -H
ldap://fbsd35.cs.ait.ac.th/
--simple-bind-dn=cs=administrator,dc=cs,dc=ait,dc=ac,dc=th

But it is still giving me the same error, so I suspect the DN is not correct.

I could not find any documentation saying what the DN should be.

Best regards,

Olivier
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Olivier Nicole
2013-08-09 03:50:01 UTC
Permalink
Thank's Andrew,
Post by Andrew Bartlett
For the record, for other non-AD servers that don't do SASL and so can't
use -U, --simple-bind-dn takes a DN, so cn=admin,dc=example,dc=com might
be the admin DN on an OpenLDAP server.
I tried:

samba-tool user setpassword tata --newpassword=Ghij-1919 -d 10 -H
ldap://fbsd35.cs.ait.ac.th/
--simple-bind-dn=cs=administrator,dc=cs,dc=ait,dc=ac,dc=th

But it is still giving me the same error, so I suspect the DN is not correct.

I could not find any documentation saying what the DN should be.

Best regards,

Olivier
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...