LDAP Result Code 8 "Strong Auth Required": BindSimple: Transport encryption required

NethServer Version: 7.6.1810
Module: Domain Accounts

Hello all.
I’ve been using Nethserver for a couple of years in my home lab for simple DNS/DHCP.
Now I’m trying to use it at work in our lab to replace a Microsoft domain controller.
I have a CentOS server running services from a manufacturer that requires AD/LDAP authentication. A script runs and I fill out the questions (I’m not a programmer, just a sysadmin). At the end of the script it tests my entries. It shows this:
[ERROR] Login failed. Is bind user and password correct?
Error: LDAP Result Code 8 “Strong Auth Required”: BindSimple: Transport encryption required.

I’ve triple checked the authentication.
The scrip works with MS AD, but I’d love to get this working with Nethserver.
Anyone have any ideas.


Do the CentOS server application support LDAP with TLS?

I think it can support it, but I don’t believe it’s required.
My MS AD config that does work, does not use TLS.

I don’t know if is requested for connecting to NSDC or NethServer OpenLDAP.

Sorry to have to say this…but just to see what would happen I gave Zentyal a try.
It worked with zero issues. I left Zentyal several years ago for Nethserver.
I sure wish I could use Nethserver…but I need to go with what works at this point.

Thanks… :confused:

summoning @support_team

AFAIK on the domain controller you can use authenticated bind only with TLS, otherwise your credentials will transit in clear text.
You can find more info here: https://github.com/NethServer/dev/issues/5067

You should be able changing the behavior with something like this (not tested):

mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/ 
echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
systemctl restart nsdc

:warning: edited, see below


This didn’t seem to work. Let me know if there’s anything else to test.

The commands by @giacomo need a little fix:

  mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/ 
- echo "ldap server require strong auth = no" > 20notls
+ echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20notls
  expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
  systemctl restart nsdc

Instead of creating a template-custom, you could try to edit the [global] section of /var/lib/machines/nsdc/etc/samba/smb.conf and add the following directive:

ldap server require strong auth = no

Then restart the nsdc Samba instance:

systemctl reload nsdc

They probably allow clear text passwords by default. I’d prefer to provide a safe default setting.


This fixed it! Will this modification stick or will it be overwritten?
Thank you!

1 Like

/var/lib/machines/nsdc/etc/samba/smb.conf is a configuration file already included in the configuration backup and it is not overwritten.

By doing these steps mean disabling TLS (encryption)?

LDAP TLS is not required for AD itself to work because secrets are encrypted within the Kerberos protocol.

With the above change some apps relying on AD LDAP can send passwords in clear text over an unencrypted channel. This is probably a risk to be evaluated carefully.

we can said it’s like uncheck the TLS (option) from web interface?

Possibly, yes. Please give a try to Nethgui. Maybe Cockpit UI has a slightly different (and buggy) validator implementation.

Many, many thanks!! It works!!
ldap server require strong auth = no

Quite late question: this directive could be overwritten into a future nsdc container update?

Yes the ns8 smb.conf can be edited as wanted. It is included in the backup.

Topic is about NS7, @davidep :slight_smile:

1 Like

Ouch! You’re right, sorry.

Anyway, that should be true also for ns7: IIRC smb.conf in nsdc is not an expanded template, and is included in the backup as-is.

In other words, it is not overwritten by updates.