主題: 如何設定 Samba 使用 LDAP 連線 WIndows ad 驗證

[sclin2k]

先貼上 smb.conf 設定檔內容:
[global]
        passdb backend = ldapsam:ldap://192.168.60.253:389
        encrypt passwords = yes
        ldap admin dn = cn=vmail,dc=tw,dc=example
        ldap ssl = no
        ldap suffix = dc=tw,dc=example

        log level = 3
        log file = /var/log/samba/smb.log
        max log size = 50
        template shell = /bin/bash

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

依上面的設定連線 Windows AD 驗證時,samba.log 訊息出現:
[2017/05/03 17:29:45.129863,  2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2017/05/03 17:29:45.133564,  2] ../source3/lib/smbldap.c:998(smbldap_connect_system)
  failed to bind to server ldap://192.168.60.253:389 with dn="cn=vmail,dc=tw,dc=example" Error: Invalid credentials
     80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
以及:
[2017/05/03 17:49:10.309081,  2] ../source3/passdb/pdb_ldap_util.c:287(smbldap_search_domain_info)
  smbldap_search_domain_info: Problem during LDAPsearch: Timed out
[2017/05/03 17:49:10.309132,  2] ../source3/passdb/pdb_ldap_util.c:288(smbldap_search_domain_info)
  smbldap_search_domain_info: Query was: dc=tw,dc=example, (&(objectClass=sambaDomain)(sambaDomainName=CENTOS7))
[2017/05/03 17:49:10.309147,  0] ../source3/passdb/pdb_ldap.c:6540(pdb_ldapsam_init_common)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2017/05/03 17:49:10.309182,  0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
  pdb backend ldapsam:ldap://192.168.60.253:389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

Samba 版本是 4.6.3(samba-4.6.3.tar.gz)

這台 CentOS 7 沒有 join domain,純粹想直接連到 AD 做帳號驗證。
一直無法成功,也不知問題出在哪???
請版上各位協助!!!
感謝。

[netman]

  failed to bind to server ldap://192.168.60.253:389 with dn="cn=vmail,dc=tw,dc=example" Error: Invalid credentials

先確定能夠通過驗證再往後面走...

[sclin2k]

  failed to bind to server ldap://192.168.60.253:389 with dn="cn=vmail,dc=tw,dc=example" Error: Invalid credentials

先確定能夠通過驗證再往後面走...

在主機上,直接使用下列方式是可以讀取名單:
ldapsearch -x -H ldap://192.168.60.253 -D 'tw\vmail' -W -b 'dc=tw,dc=example'

也有將 smb.conf 設定檔裡的 vmail 密碼,利用 smbpasswd -W 設定密碼。(vmail 是 AD 網域裡的帳號)
但 samba 啟動出現<無效的認證>,難道是不能用 smbpasswd 來設定 domain 帳號的密碼??


額外補充:
mail server roundcube 裡的通訊錄也是從 AD 裡取得人員名單,
但搞不定 samba smb.conf 設定檔要怎麼設定,才能從 AD 驗證帳號密碼???

[sclin2k]

自己回一下;
在 Samba 官網有一篇 2003 年的一篇文件: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html

ldapsam
There are a few points to stress that the ldapsam does not provide. The LDAP support referred to in this documentation does not include:
A means of retrieving user account information from a Windows 200x Active Directory server.
A means of replacing /etc/passwd.

所以是沒辦法利用 ldapsam 從 Windows 200x Active Directory 讀取名單的意思吧?
但現在是 2017 年了,不知是不是己經可以讀取了???

[netman]

那看起來要 join domain 才行。