I am trying to setup samba active directory users authentication for my Django app. I working in linux. I don't have access to windows active directory. I got a docker image smblds for samba AD DC on Ubuntu 22.04 using
docker run --name smblds \
--publish 389:389 \
--publish 636:636 \
--detach smblds/smblds:latest
The docker started fine. I can see the smb.conf and other tdb files created.
But this docker does not set the BIND_DN value. So, I executed the docker and from inside the smblds docker I provisioned the active directory with
samba-tool domain provision --use-rfc2307 --interactive
I used all the default settings for Realm, Domain, server role, dns backend and Administrator password I see following messages in the output
Setting up self join
Repacking database from v1 to v2 format (first record CN=ms-WMI-StringSetParam,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record CN=server-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=samdom,DC=example,DC=com)
Repacking database from v1 to v2 format (first record CN=51cba88b-99cf-4e16-bef2-c427b38d0767,CN=Operations,CN=DomainUpdates,CN=System,DC=samdom,DC=example,DC=com)
Is any of these a BIND_DN. Actually when I try to connect to active directory using python ldap I see invalid credential error.
>>> import ldap
>>> ldap_server = ldap.initialize("ldap://172.17.0.5/")
>>> ldap_server.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
>>> ldap_server.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
>>> ldap_server.start_tls_s()
>>> ldap_server.simple_bind_s("CN=ms-WMI-StringSetParam,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com", "Passw0rd")
ldap.INVALID_CREDENTIALS: {'msgtype': 97, 'msgid': 3, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1'}
I know I set the password during provisioning. But what is the initial BIND_DN that I can use to bind with the samba active directory in the ldap_server.simple_bind_s call?
Basically is there any BIND_DN created for the samba active directory like it is for openLDAP? If not how do I connect to samba active directory?
Thank you
"Bind DNs" are DNs that represent user accounts. This works in Active Directory the same as in other LDAP services.
The standard user account that exists in fresh AD installations – certain to be the one that you've set a password for – is Administrator which is placed in the default Users container; its DN might therefore be CN=Administrator,CN=Users,DC=ad,DC=example,DC=com.
As a special case, Active Directory DCs (including Samba) allow you to directly specify a non-DN username in the "bind DN" field (either in the AD UPN user@domain.tld format or in the NT4 DOMAIN\user format), so you should also be able to bind as Administrator@ad.example.com.
You could also bypass the procedure using a Kerberos (GSSAPI or GSS-SPNEGO) bind instead of a plaintext password. In a full AD environment (i.e. properly configured DNS) you would be able to kinit as Administrator@AD.EXAMPLE.COM and invoke .sasl_gssapi_bind_s()1.
1 (More precisely it should be .sasl_non_interactive_bind_s("GSS-SPNEGO") for AD.)