LDAP/AD from Samba4 no longer working

neek · August 12, 2016, 5:02am

I recently migrated / upgraded from ownCloud 9.0.2 to nextCloud 9.0.53. It looked like everything worked ok but now I’m noticing that my LDAP/AD users cannot login. The error in the log:

{"reqId":"sJtKDfxlAlDzxlieC0Vb","remoteAddr":"192.168.1.63","app":"user_ldap","message":"Bind failed: 8: Strong(er) authentication required","level":2,"time":"2016-08-12T04:57:27+00:00","method":"PROPFIND","url":"\/remote.php\/webdav\/","user":"975F6760-0B78-4F08-84E1-5209C49B38FE"}

I have always been talking to my Samba4 Domain Controller on port 389 with ldap:// scheme.

I tried changing over to ldaps:// on port 636 but that also fails with this error:

{"reqId":"KBEDs+RIkWLV5H3XRMpH","remoteAddr":"192.168.1.63","app":"webdav","message":"Exception: {\"Message\":\"HTTP\\\/1.1 503 OC\\\\ServerNotAvailableException: Connection to LDAP server could not be established\",\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\ServiceUnavailable\",\"Code\":0,\"Trace\":\"#0 [internal function]: {closure}(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#1 \\\/opt\\\/nextcloud\\\/3rdparty\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Object(Closure), Array)\\n#2 \\\/opt\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(446): Sabre\\\\Event\\\\EventEmitter->emit('beforeMethod', Array)\\n#3 \\\/opt\\\/nextcloud\\\/3rdparty\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(248): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#4 \\\/opt\\\/nextcloud\\\/remote.php(69): Sabre\\\\DAV\\\\Server->exec()\\n#5 \\\/opt\\\/nextcloud\\\/remote.php(141): handleException(Object(OC\\\\ServerNotAvailableException))\\n#6 {main}\",\"File\":\"\\\/opt\\\/nextcloud\\\/remote.php\",\"Line\":67,\"User\":\"975F6760-0B78-4F08-84E1-5209C49B38FE\"}","level":4,"time":"2016-08-12T04:58:32+00:00","method":"PROPFIND","url":"\/remote.php\/webdav\/","user":"975F6760-0B78-4F08-84E1-5209C49B38FE"}

However, port 636 is available to me and other AD-based services seem to work.

Any obvious place for me to experiment to try to get this working again? Thanks!

Sugaroverdose · August 12, 2016, 8:23am

to use ldaps openldap needs to trust DC cert:
/etc/openldap/ldap.conf
TLS_CACERT /etc/ssl/certs/cacert.crt

or should not check it:
/etc/openldap/ldap.conf
LDAPTLS_REQCERT never

neek · August 14, 2016, 6:29am

Thanks. I don’t see slapd / openldap running as a service (this is on a FreeNAS jail) though I do see the config file (in /usr/local/etc). Would there be some other place to look for this? Changing settings in that file doesn’t seem to do anything.

I grepped around in /etc, /usr/local/etc, and /var to see if there was anything obvious but didn’t find anyplace else to change these settings. According to phpinfo(), LDAP is enabled and using OpenLDAP.

This did (at least at some point not long ago) work ok with owncloud. I can’t figure out why it’s failing here. My guess is that at some point I updated PHP and PHP added some extra security mojo that’s breaking this.

Sugaroverdose · August 14, 2016, 12:49pm

Path to config in freebsd: /usr/local/etc/openldap/ldap.conf
After changing that you it’s better to reboot jail to see difference, but i guess restarting php-fpm would be enough

neek · August 14, 2016, 3:35pm

Thanks. It turns out my restart of php-fpm wasn’t actually killing it but it’s working now. Appreciate your help!

neek · August 14, 2016, 9:13pm

Actually something is still wrong. I now get all green lights in the LDAP admin config but whenever I try to connect I get errors in the log.
{“reqId”:“2aRlCGhYAgJwU5cEIUkZ”,“remoteAddr”:“192.168.1.63”,“app”:“user_ldap”,“message”:“Bind failed: 8: Strong(er) authentication required”,“level”:2,“time”:“2016-08-14T21:30:54+00:00”,“method”:“GET”,“url”:"/",“user”:“975F6760-0B78-4F08-84E1-5209C49B38FE”}

{"reqId":"2aRlCGhYAgJwU5cEIUkZ","remoteAddr":"192.168.1.63","app":"user_ldap","message":"Bind failed: 8: Strong(er) authentication required","level":2,"time":"2016-08-14T21:30:54+00:00","method":"GET","url":"\/","user":"975F6760-0B78-4F08-84E1-5209C49B38FE"}

{"reqId":"2aRlCGhYAgJwU5cEIUkZ","remoteAddr":"192.168.1.63","app":"user_ldap","message":"No LDAP Connection to server home.triantos.com","level":3,"time":"2016-08-14T21:30:54+00:00","method":"GET","url":"\/","user":"975F6760-0B78-4F08-84E1-5209C49B38FE"}

{"reqId":"2aRlCGhYAgJwU5cEIUkZ","remoteAddr":"192.168.1.63","app":"index","message":"Exception: {
\"Exception\":\"OC\\\\ServerNotAvailableException\",\"Message\":\"Connection to LDAP server could not be established\",\"Code\":0,\"Trace\":\"
#0 \\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/access.php(156): OCA\\\\user_ldap\\\\lib\\\\Connection->getConnectionResource()\\n
#1 \\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/group_ldap.php(314): OCA\\\\user_ldap\\\\lib\\\\Access->readAttribute('cn=nick trianto...', 'primaryGroupID')\\n
#2 \\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/group_ldap.php(338): OCA\\\\user_ldap\\\\GROUP_LDAP->getEntryGroupID('cn=nick trianto...', 'primaryGroupID')\\n
#3 \\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/group_ldap.php(421): OCA\\\\user_ldap\\\\GROUP_LDAP->getUserPrimaryGroupIDs('cn=nick trianto...')\\n
#4 \\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/group_ldap.php(458): OCA\\\\user_ldap\\\\GROUP_LDAP->getUserPrimaryGroup('cn=nick trianto...')\\n
#5 \\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/group_proxy.php(122): OCA\\\\user_ldap\\\\GROUP_LDAP->getUserGroups('975F6760-0B78-4...')\\n
#6 \\\/opt\\\/nextcloud\\\/lib\\\/private\\\/group\\\/manager.php(245): OCA\\\\user_ldap\\\\Group_Proxy->getUserGroups('975F6760-0B78-4...')\\n
#7 \\\/opt\\\/nextcloud\\\/lib\\\/private\\\/group\\\/manager.php(272): OC\\\\Group\\\\Manager->getUserIdGroups('975F6760-0B78-4...')\\n
#8 \\\/opt\\\/nextcloud\\\/lib\\\/private\\\/group\\\/manager.php(262): OC\\\\Group\\\\Manager->isInGroup('975F6760-0B78-4...', 'admin')\\n
#9 \\\/opt\\\/nextcloud\\\/apps\\\/updatenotification\\\/appinfo\\\/app.php(34): OC\\\\Group\\\\Manager->isAdmin('975F6760-0B78-4...')\\n
#10 \\\/opt\\\/nextcloud\\\/lib\\\/private\\\/app.php(163): require_once('\\\/opt\\\/nextcloud\\\/...')\\n
#11 \\\/opt\\\/nextcloud\\\/lib\\\/private\\\/app.php(144): OC_App::requireAppFile('updatenotificat...')\\n
#12 \\\/opt\\\/nextcloud\\\/lib\\\/private\\\/app.php(117): OC_App::loadApp('updatenotificat...')\\n
#13 \\\/opt\\\/nextcloud\\\/lib\\\/base.php(951): OC_App::loadApps()\\n
#14 \\\/opt\\\/nextcloud\\\/index.php(39): OC::handleRequest()\\n
#15 {main}\",\"File\":\"\\\/opt\\\/nextcloud\\\/apps\\\/user_ldap\\\/lib\\\/connection.php\",\"Line\":169}","level":3,"time":"2016-08-14T21:30:54+00:00","method":"GET","url":"\/","user":"975F6760-0B78-4F08-84E1-5209C49B38FE"}

The physical server is “vault.lan”. I setup a Samba AD domain called “home.triantos.com” and there’s a DNS CNAME pointing to vault. The URL I configured is “home.triantos.com” but the errors mention vault. I noticed that in the database there’s a value in table “oc_appconfig” called “s01ldap_host” that had been set to “vault.lan”. I updated that to “home.triantos.com” but that doesn’t help.

Any other ideas what I can look at?

Sugaroverdose · August 15, 2016, 7:59am

Due to docs samba should work by default with simple bind over tls, but seems like it doesn’t.
Find out that you have samba setting allow_sasl_over_tls = yes

neek · August 16, 2016, 2:27am

I never realized how poorly documented Samba was until having this issue.

Thanks a lot. This wasn’t quite right… The samba parameter is actually called “ldap server require strong auth” and one option is allow_sasl_over_tls. I set it to “no” and now it’s working again, at long last.

I really appreciate your help!

Sugaroverdose · August 16, 2016, 7:40am

Samba disabled simple bind without encryption for a reason.
Simple bind over tls(636) at least secured on transport level, while simple bind over 389 isn’t secure at all.