ldapsearch sur RODC

Venez ici partager vos astuces et aides autour de Samba4
matth_94
Messages : 2
Inscription : 09 juin 2020 - 13:53

09 juin 2020 - 14:24

Bonjour,

Je viens de créer un rodc connecter sur un ad1 tout les deux en version 4.11.6 et je souhaiterai pouvoir connecter mes appli en ldap sur le rodc.
Est-ce que cela est envisageable?

Merci d'avance pour vos retours d'experience car pour le moment cela ne fonctionne pas dans mes tests, j'ai ce genre de retour sur ma commande ldapsearch :

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 40, v1db1

et ce genre de log :

[2020/06/09 12:18:46.845786, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2020/06/09 12:18:46.850433, 3] ../../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [(null)]\[adm-test@domain.local]@[(null)]
auth_check_password_send: user is: [DOMAIN]\[adm-test]@[(null)]
[2020/06/09 12:18:46.852915, 1] ../../source4/dsdb/samdb/ldb_modules/rootdse.c:518(rootdse_add_dynamic)
rootdse_add_dynamic: Failed to convert GUID into full DN in rootDSE for dsServiceName: <GUID=748b1765-24c5-44f0-b509-da38bf3e77e9>: Base-DN '<GUID=748b1765-24c5-44f0-b509-da38bf3e77e9>' not found
[2020/06/09 12:18:46.853228, 1] ../../source4/dsdb/common/util.c:1397(samdb_ntds_settings_dn)
Searching for dsServiceName in rootDSE failed: Failed to find full DN for dsServiceName: <GUID=748b1765-24c5-44f0-b509-da38bf3e77e9>
[2020/06/09 12:18:46.853401, 1] ../../source4/dsdb/common/util.c:1418(samdb_ntds_settings_dn)
Failed to find our own NTDS Settings DN in the ldb!
[2020/06/09 12:18:46.853660, 3] ../../source4/dsdb/repl/drepl_secret.c:145(drepl_repl_secret)
../../source4/dsdb/repl/drepl_secret.c:145: started secret replication for CN=adm-test,OU=SYSTEME,OU=USERS,OU=YS,DC=domain,DC=local
[2020/06/09 12:18:46.854850, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855007, 5] ../../source4/auth/ntlm/auth.c:69(auth_get_challenge)
auth_get_challenge: returning previous challenge by module random (normal)
[2020/06/09 12:18:46.855255, 5] ../../source3/winbindd/winbindd_irpc.c:210(wb_irpc_SamLogon)
wb_irpc_SamLogon called
[2020/06/09 12:18:46.866485, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
ldb_wrap open of idmap.ldb
[2020/06/09 12:18:46.949594, 3] ../../source4/dsdb/repl/drepl_secret.c:53(drepl_repl_secret_callback)
../../source4/dsdb/repl/drepl_secret.c:53: repl secret failed for user CN=adm-test,OU=SYSTEME,OU=USERS,OU=YS,DC=domain,DC=local - WERR_DS_DRA_BAD_DN: extended_ret[0x0





[2020/06/09 12:18:50.424578, 0] ../../source3/winbindd/winbindd_irpc.c:55(wb_irpc_forward_callback)
RPC callback failed for winbind_SamLogon - NT_STATUS_CONNECTION_DISCONNECTED
[2020/06/09 12:18:50.426286, 2] ../../source4/auth/ntlm/auth.c:472(auth_check_password_recv)
auth_check_password_recv: winbind authentication for user [DOMAIN\adm-test] FAILED with error NT_STATUS_CONNECTION_DISCONNECTED, authoritative=1
[2020/06/09 12:18:50.426364, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [LDAP,simple bind/TLS] user [(null)]\[adm-test@domain.local] at [Tue, 09 Jun 2020 12:18:50.426344 UTC] with [Plaintext] status [NT_STATUS_CONNECTION_DISCONNECTED] workstation [(null)] remote host [ipv4:127.0.0.1:57600] mapped to [DOMAIN]\[adm-test]. local host [ipv4:127.0.1.1:389]
{"timestamp": "2020-06-09T12:18:50.426440+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 8, "status": "NT_STATUS_CONNECTION_DISCONNECTED", "localAddress": "ipv4:127.0.1.1:389", "remoteAddress": "ipv4:127.0.0.1:57600", "serviceDescription": "LDAP", "authDescription": "simple bind/TLS", "clientDomain": null, "clientAccount": "adm-test@domain.local", "workstation": null, "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "adm-test", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "Plaintext", "duration": 3576941}}
[2020/06/09 12:18:50.428280, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT'



J'ai testé différent paramétrage mais je n'arrive pas a faire fonctionner le ldap.


Toute aide sera apprécié.
matth_94
Messages : 2
Inscription : 09 juin 2020 - 13:53

09 juin 2020 - 17:33

Finalement j'ai pu réussir en sortant le compte test des groupes admins qui ne peuvent pas dans ce cas être "Allowed RODC Password Replication Group".
Avatar de l’utilisateur
vcardon
Expert WAPT
Messages : 248
Inscription : 06 oct. 2017 - 22:55
Localisation : Nantes, FR

09 juin 2020 - 21:12

matth_94 a écrit : 09 juin 2020 - 17:33 Finalement j'ai pu réussir en sortant le compte test des groupes admins qui ne peuvent pas dans ce cas être "Allowed RODC Password Replication Group".
VICTORY
Vincent CARDON
Tranquil IT
Verrouillé