Environment
Novell Open Enterprise Server 2 (OES 2) Linux SP1
Novell Open Enterprise Server 2 (OES 2) Linux SP2
Novell CIFSNovell Open Enterprise Server 2 (OES 2) Linux SP2
Situation
After initial setup, authentication to OES2 Linux server via cifs fails. The client reprompts for the username and password.
NDS Trace shows the following:
New cleartext connection 0x654c6c0 from 127.0.0.1:45606, monitor = 0x4c67a940, index = 5
Invalid protocol request on connection 0x654c6c0
Monitor 0x4c67a940 initiating close for connection 0x654c6c0
Server closing connection 0x654c6c0, reason = 2
Sending operation result 2:"":"" to connection 0x654c6c0
Connection 0x654c6c0 closed
CIFS.LOG contained the following:
Dec 9 14:02:54 servername01 CIFS[893]: CRITICAL: AUTH: Failed to fetch ldap Descriptor. Restart server
Dec 9 14:02:54 servername01 CIFS[893]: CRITICAL: AUTH: Credentials do not match, User : cn=username,ou=orgUnit,o=Org
Dec 9 14:02:54 servername01 CIFS[893]: CRITICAL: AUTH: ldap simple bind failed, ldap error: 81, port 389 , ProxyUser cn=cifsProxyUser-servername01,ou=orgUnit,o=myOrg. Check ldap configuration
NDS Trace shows the following:
New cleartext connection 0x654c6c0 from 127.0.0.1:45606, monitor = 0x4c67a940, index = 5
Invalid protocol request on connection 0x654c6c0
Monitor 0x4c67a940 initiating close for connection 0x654c6c0
Server closing connection 0x654c6c0, reason = 2
Sending operation result 2:"":"" to connection 0x654c6c0
Connection 0x654c6c0 closed
CIFS.LOG contained the following:
Dec 9 14:02:54 servername01 CIFS[893]: CRITICAL: AUTH: Failed to fetch ldap Descriptor. Restart server
Dec 9 14:02:54 servername01 CIFS[893]: CRITICAL: AUTH: Credentials do not match, User : cn=username,ou=orgUnit,o=Org
Dec 9 14:02:54 servername01 CIFS[893]: CRITICAL: AUTH: ldap simple bind failed, ldap error: 81, port 389 , ProxyUser cn=cifsProxyUser-servername01,ou=orgUnit,o=myOrg. Check ldap configuration
Resolution
From the documentation:
1. If your eDirectory replica is stored on an eDirectory server earlier than 8.8.3, ensure you upgrade the server using the Security Services 2.0.6 patch.
2. The user/administrator needs supervisor rights over the container where the server object is installed.
3. The user/administrator needs root permissions to install CIFS on an OES2 Linux server.
4. The user/administrator needs read, write, create, modify rights over the password policies sub-container of the security container, for the following reasons:
a. Adding the CIFS default policy to the password policies.
b. Modifying policies selected for CIFS, so that the proxy user can read passwords for users attached to the policy.
After double-checking the above, and correcting anything, rerun the OES installation, and reconfigure CIFS using port 636. Be sure that /etc/opt/novell/cifs/cifs.conf has "SSL yes" and "LDAPPORT 636". Be sure that the default CIFS password policy is created. If not created the first time, rerun the CIFS configuration a second time. It should be created and is available to be assigned as the default password policy for CIFS under the OES CIFS configuration.
1. If your eDirectory replica is stored on an eDirectory server earlier than 8.8.3, ensure you upgrade the server using the Security Services 2.0.6 patch.
2. The user/administrator needs supervisor rights over the container where the server object is installed.
3. The user/administrator needs root permissions to install CIFS on an OES2 Linux server.
4. The user/administrator needs read, write, create, modify rights over the password policies sub-container of the security container, for the following reasons:
a. Adding the CIFS default policy to the password policies.
b. Modifying policies selected for CIFS, so that the proxy user can read passwords for users attached to the policy.
After double-checking the above, and correcting anything, rerun the OES installation, and reconfigure CIFS using port 636. Be sure that /etc/opt/novell/cifs/cifs.conf has "SSL yes" and "LDAPPORT 636". Be sure that the default CIFS password policy is created. If not created the first time, rerun the CIFS configuration a second time. It should be created and is available to be assigned as the default password policy for CIFS under the OES CIFS configuration.