Connect external Systems to UCS LDAP

Hi,

I am a little stuck right now. We have a bunch of legacy systems, that we will need to use for a transitional period. We have an aging LDAP Server, which I want to retire. As a result, I need to use the Univention (Open)LDAP for authentication going forward.
Some systems are working swimmingly - Nextcloud, Webuntis and a few others. I am connecting to port 7636 for external systems and 7389 for internal systems.
I set up a simple authentication account and that does what it says on the box as well.

A couple of my legacy systems (CentOS) run samba installation for network shares. Here I fail to switch over to the Univention LDAP.
Strangely enough I can connect using ldapsearch from those machines just fine but if I edit the smb.conf file on the external samba systems, the connection fails. I get the error message “Invalid credentials” but it makes no difference whether I copy-paste them or type them for either connection. Could it be a problem with the character set used for the password in case of the smb.conf?
I have tinkered with a few of the entries in the smb.conf file but no success.

Does anyone spot anything that could explain why the connection works using ldapsearch but fails from samba? I am aware that I can move the file shares to the UCS system but the transition will take time and careful planning. In the meantime, I need to figure out a way to get this to work.
Part of the smb.conf and the error log is shown below.

Any help or pointers will be greatly appreciated.

Here the section in question of the smb.conf:

----------------------- Standalone Server Options ------------------------

    security = user
    passdb backend = tdbsam
    passdb backend = ldapsam:ldap://10.1.1.11:7389
    ldap admin dn = "uid=searchuser,cn=users,ou=TS,dc=unterricht,dc=tsaalen,dc=de"
    ldap ssl = no
    ldap suffix = dc=unterricht,dc=tsaalen,dc=de
    max protocol = SMB2

###########

Here some sample log output:
#############
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mi 2021-03-03 11:11:14 CET; 3s ago
Process: 12553 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE)
Main PID: 12553 (code=exited, status=1/FAILURE)
Status: “Starting process…”

Mär 03 11:10:58 delta smbd[12553]: failed to bind to server ldap://10.1.1.11:7389 with dn=“uid=searchuser,cn=users,ou=TS,dc=unterricht,dc=tsaalen,dc=de” Error: Invalid credentials
Mär 03 11:10:58 delta smbd[12553]: (unknown)
Mär 03 11:11:14 delta smbd[12553]: [2021/03/03 11:11:14.858440, 0] …/source3/passdb/pdb_ldap.c:6534(pdb_ldapsam_init_common)
Mär 03 11:11:14 delta smbd[12553]: pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
Mär 03 11:11:14 delta smbd[12553]: [2021/03/03 11:11:14.858614, 0] …/source3/passdb/pdb_interface.c:179(make_pdb_method_name)
Mär 03 11:11:14 delta smbd[12553]: pdb backend ldapsam:ldap://10.1.1.11:7389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
Mär 03 11:11:14 delta systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE
Mär 03 11:11:14 delta systemd[1]: Failed to start Samba SMB Daemon.
Mär 03 11:11:14 delta systemd[1]: Unit smb.service entered failed state.
Mär 03 11:11:14 delta systemd[1]: smb.service failed.
###############

1 Like
Mastodon