Quantcast

Failed to retrieve password from secrets.tdb with anonymous bind

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Failed to retrieve password from secrets.tdb with anonymous bind

Dr. Alberto Benati
Samba 3.2.1 on linux OpenFiler 2.3

I have an external LDAP server with anonymous bind and pam
ProFtpd linked to LDAP server works well without error


But samba does not work, in smbd.log I have:
[2008/09/09 22:01:54,  0] passdb/secrets.c:fetch_ldap_pw(888)
 fetch_ldap_pw: neither ldap secret retrieved!
[2008/09/09 22:01:54,  0] lib/smbldap.c:smbldap_connect_system(952)
 ldap_connect_system: Failed to retrieve password from secrets.tdb
[2008/09/09 22:01:54,  1] lib/smbldap.c:another_ldap_try(1178)
 Connection to LDAP server failed for the 1 try!
.........................


Part of smb.conf:
ldap ssl = no
ldap suffix = ou=People,dc=unizz,dc=it
encrypt passwords = yes
security = user
passdb backend = ldapsam:ldap://ldap.unizz.it
ldap user suffix = ou=People
pam password change = no


I tried to add password in secrets.tdb, but:
[root@backup2 samba]# smbpasswd -w ""
ERROR: 'ldap admin dn' not defined! Please check your smb.conf

I then added in smb.conf a fake:
ldap admin dn = ou=People,dc=unizz,dc=it

[root@backup2 samba]# tdbdump /etc/samba/secrets.tdb
{
key(19) = "SECRETS/SID/BACKUP2"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00A,\EB\C1\E5\5C/(\E7\DDl
\A7\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(45) = "SECRETS/LDAP_BIND_PW/ou=People,dc=unizz,dc=it"
data(1) = "\00"


now without the row I have always same prev error
and with the row ldap admin dn = ou=People,dc=unizz,dc=it I have now:
[2008/09/09 22:15:13,  0] lib/smbldap.c:smbldap_connect_system(992)
 failed to bind to server ldap://ldap.unizz.it with
dn="ou=People,dc=unizz,dc=it" Error: Server is unwilling to perform
       unwilling to allow anonymous bind with non-empty DN
[2008/09/09 22:15:13,  1] lib/smbldap.c:another_ldap_try(1178)
 Connection to LDAP server failed for the 1 try!
..................

rightly, but I can not go out from this situation.
Any suggestion?

Thank you
Alby
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Failed to retrieve password from secrets.tdb with anonymous bind

Iarly Selbir
Try run:

root# smbpasswd -w ldap_password

and restart the samba

Reggars,

Iarly Selbir


2008/9/9 Dr. Alberto Benati <[hidden email]>

> Samba 3.2.1 on linux OpenFiler 2.3
>
> I have an external LDAP server with anonymous bind and pam
> ProFtpd linked to LDAP server works well without error
>
>
> But samba does not work, in smbd.log I have:
> [2008/09/09 22:01:54,  0] passdb/secrets.c:fetch_ldap_pw(888)
>  fetch_ldap_pw: neither ldap secret retrieved!
> [2008/09/09 22:01:54,  0] lib/smbldap.c:smbldap_connect_system(952)
>  ldap_connect_system: Failed to retrieve password from secrets.tdb
> [2008/09/09 22:01:54,  1] lib/smbldap.c:another_ldap_try(1178)
>  Connection to LDAP server failed for the 1 try!
> .........................
>
>
> Part of smb.conf:
> ldap ssl = no
> ldap suffix = ou=People,dc=unizz,dc=it
> encrypt passwords = yes
> security = user
> passdb backend = ldapsam:ldap://ldap.unizz.it
> ldap user suffix = ou=People
> pam password change = no
>
>
> I tried to add password in secrets.tdb, but:
> [root@backup2 samba]# smbpasswd -w ""
> ERROR: 'ldap admin dn' not defined! Please check your smb.conf
>
> I then added in smb.conf a fake:
> ldap admin dn = ou=People,dc=unizz,dc=it
>
> [root@backup2 samba]# tdbdump /etc/samba/secrets.tdb
> {
> key(19) = "SECRETS/SID/BACKUP2"
> data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00A,\EB\C1\E5\5C/(\E7\DDl
>
> \A7\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
> }
> {
> key(45) = "SECRETS/LDAP_BIND_PW/ou=People,dc=unizz,dc=it"
> data(1) = "\00"
>
>
> now without the row I have always same prev error
> and with the row ldap admin dn = ou=People,dc=unizz,dc=it I have now:
> [2008/09/09 22:15:13,  0] lib/smbldap.c:smbldap_connect_system(992)
>  failed to bind to server ldap://ldap.unizz.it with
> dn="ou=People,dc=unizz,dc=it" Error: Server is unwilling to perform
>       unwilling to allow anonymous bind with non-empty DN
> [2008/09/09 22:15:13,  1] lib/smbldap.c:another_ldap_try(1178)
>  Connection to LDAP server failed for the 1 try!
> ..................
>
> rightly, but I can not go out from this situation.
> Any suggestion?
>
> Thank you
> Alby
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Failed to retrieve password from secrets.tdb with anonymous bind

Dr. Alberto Benati
Unfortunately I don't have a password to administer this external ldap but
only query / bind anonymously

if I enable a local (127.0.0.1) openldap with administration (rootdn and
rootpw) everything works well.
Samba seems to work that must administer LDAP unlike ProFtpd that retrieve
data and stop

Alberto



> Try run:
>
> root# smbpasswd -w ldap_password
>
> and restart the samba
>
> Reggars,
>
> Iarly Selbir
>
> 2008/9/9 Dr. Alberto Benati <[hidden email]>
>
> > Samba 3.2.1 on linux OpenFiler 2.3
> >
> > I have an external LDAP server with anonymous bind and pam
> > ProFtpd linked to LDAP server works well without error
> >
> >
> > But samba does not work, in smbd.log I have:
> > [2008/09/09 22:01:54,  0] passdb/secrets.c:fetch_ldap_pw(888)
> >  fetch_ldap_pw: neither ldap secret retrieved!
> > [2008/09/09 22:01:54,  0] lib/smbldap.c:smbldap_connect_system(952)
> >  ldap_connect_system: Failed to retrieve password from secrets.tdb
> > [2008/09/09 22:01:54,  1] lib/smbldap.c:another_ldap_try(1178)
> >  Connection to LDAP server failed for the 1 try!
> > .........................
> >
> >
> > Part of smb.conf:
> > ldap ssl = no
> > ldap suffix = ou=People,dc=unizz,dc=it
> > encrypt passwords = yes
> > security = user
> > passdb backend = ldapsam:ldap://ldap.unizz.it
> > ldap user suffix = ou=People
> > pam password change = no
> >
> >
> > I tried to add password in secrets.tdb, but:
> > [root@backup2 samba]# smbpasswd -w ""
> > ERROR: 'ldap admin dn' not defined! Please check your smb.conf
> >
> > I then added in smb.conf a fake:
> > ldap admin dn = ou=People,dc=unizz,dc=it
> >
> > [root@backup2 samba]# tdbdump /etc/samba/secrets.tdb
> > {
> > key(19) = "SECRETS/SID/BACKUP2"
> > data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00A,\EB\C1\E5\5C/(\E7\DDl
> >
> >
\A7\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"

> > }
> > {
> > key(45) = "SECRETS/LDAP_BIND_PW/ou=People,dc=unizz,dc=it"
> > data(1) = "\00"
> >
> >
> > now without the row I have always same prev error
> > and with the row ldap admin dn = ou=People,dc=unizz,dc=it I have now:
> > [2008/09/09 22:15:13,  0] lib/smbldap.c:smbldap_connect_system(992)
> >  failed to bind to server ldap://ldap.unizz.it with
> > dn="ou=People,dc=unizz,dc=it" Error: Server is unwilling to perform
> >       unwilling to allow anonymous bind with non-empty DN
> > [2008/09/09 22:15:13,  1] lib/smbldap.c:another_ldap_try(1178)
> >  Connection to LDAP server failed for the 1 try!
> > ..................
> >
> > rightly, but I can not go out from this situation.
> > Any suggestion?
> >
> > Thank you
> > Alby
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
------- End of Original Message -------

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Failed to retrieve password from secrets.tdb with anonymous bind

Richard Foltyn
In reply to this post by Dr. Alberto Benati
Why don't you just *create* a dedicated samba DN in LDAP which Samba
can use? This is a much more secure setup than granting read or even
write access to passwords to unauthenticated external connections.

The official smbldap-tools HOWTO even suggests how to do this:

1) Create an LDAP entry which might look like this:

dn : cn=samba , ou=DSA, dc=IDEALX, dc=ORG
objectclass : organizationalRole
objectClass : top
objectClass : simpleSecurityObject
userPassword : sambasecretpwd
cn : samba

2) Set the password:
ldappasswd -x -h localhost -D "cn=Manager,dc=IDEALX,dc=ORG" -s sambasecretpwd \
-W cn=samba,ou=DSA,dc=IDEALX,dc=ORG

3) Set you ldap admin dn in smb.conf

4) Set the samba password with smbpasswd

Done.

(See the HOWTO for details:
http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/ )
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Failed to retrieve password from secrets.tdb with anonymous bind

Volker Lendecke
In reply to this post by Dr. Alberto Benati
On Wed, Sep 10, 2008 at 08:41:03AM +0200, Dr. Alberto Benati wrote:
> Unfortunately I don't have a password to administer this external ldap but
> only query / bind anonymously
>
> if I enable a local (127.0.0.1) openldap with administration (rootdn and
> rootpw) everything works well.
> Samba seems to work that must administer LDAP unlike ProFtpd that retrieve
> data and stop

You are aware that due to the NTLM challenge-response system
Samba must store plaintext equivalents of the passwords in
LDAP? You definitely can't give them out anonymously. If you
do that, you could as well just use no user database at all,
everyone is allowed everything.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Failed to retrieve password from secrets.tdb with anonymous bind

Dr. Alberto Benati
In reply to this post by Richard Foltyn
I see to clarify the context.

Everything is inside an intranet 10.X.X.X of my University and
OpenFiler (Samba / Proftpd) server must act as file server for many users
(about 100) against about 1000 total.

Authentication (with user password) is on University LDAP server.

If I create a local LDAP I must then provide a synchronization (account /
password) with University LDAP server that I can not manage/access/retrieve (I
have an anonymous bind only).

Subsequently testing (for security) I use tls for dialogue with University LDAP.

My problem that I can not do work Samba on LDAP authentication without
administration

Alberto


---------- Original Message -----------
From: "Richard Foltyn" <[hidden email]>
To: [hidden email]
Sent: Wed, 10 Sep 2008 08:41:19 +0200
Subject: Re: [Samba] Failed to retrieve password from secrets.tdb with
anonymous bind

> Why don't you just *create* a dedicated samba DN in LDAP which Samba
> can use? This is a much more secure setup than granting read or even
> write access to passwords to unauthenticated external connections.
>
> The official smbldap-tools HOWTO even suggests how to do this:
>
> 1) Create an LDAP entry which might look like this:
>
> dn : cn=samba , ou=DSA, dc=IDEALX, dc=ORG
> objectclass : organizationalRole
> objectClass : top
> objectClass : simpleSecurityObject
> userPassword : sambasecretpwd
> cn : samba
>
> 2) Set the password:
> ldappasswd -x -h localhost -D "cn=Manager,dc=IDEALX,dc=ORG" -s
> sambasecretpwd \ -W cn=samba,ou=DSA,dc=IDEALX,dc=ORG
>
> 3) Set you ldap admin dn in smb.conf
>
> 4) Set the samba password with smbpasswd
>
> Done.
>
> (See the HOWTO for details:
> http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/ )
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
------- End of Original Message -------

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Failed to retrieve password from secrets.tdb with anonymous bind

Volker Lendecke
On Wed, Sep 10, 2008 at 09:34:37AM +0200, Dr. Alberto Benati wrote:

> I see to clarify the context.
>
> Everything is inside an intranet 10.X.X.X of my University and
> OpenFiler (Samba / Proftpd) server must act as file server for many users
> (about 100) against about 1000 total.
>
> Authentication (with user password) is on University LDAP server.
>
> If I create a local LDAP I must then provide a synchronization (account /
> password) with University LDAP server that I can not manage/access/retrieve (I
> have an anonymous bind only).
If you can't really mess with your part of the LDAP tree,
putting sambaSamAccout objects there is probably not the
thing that you want to do.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

attachment0 (196 bytes) Download Attachment
Loading...