Hi all,

I'm running old samba4 DC and trying to set up LDAP authentication for https://www.reviewboard.org/docs/manual/3.0/admin/configuration/authentication-settings/

These settings are almost working for me:

-> Authentication Method: LDAP
-> LDAP Server: ldap://192.168.x.x:389
-> Review Board LDAP Bind Account: cn=auth,cn=Users,dc=domain,dc=co,dc=uk
-> Review Board LDAP Bind Password: ********
-> LDAP Base DN: cn=Users,dc=domain,dc=co,dc=uk
-> Username Attribute: uid
-> Given Name Attribute: givenName
-> Surname Attribute: sn
-> Full Name Attribute: cn
-> E-Mail LDAP Attribute: mail
-> E-Mail Domain: (blank)
-> Custom LDAP User Search Filter: (blank)

I have a weird problem with about half of users being able to log in:

2020-05-26 11:32:07,623 - DEBUG -  - root - Attempting to authenticate user DN "CN=dummy1,CN=Users,DC=domain,DC=co,DC=uk" (username dummy1) in LDAP

and half unable:

2020-05-26 11:40:57,671 - ERROR -  - root - Unexpected error authenticating user "dummy2" in LDAP: 'NoneType' object has no attribute 'decode'

After ruling out the obvious such as AD groups membership and primary groups I compared ldapsearch dumps:

ldapsearch -D 'admin@domain.co.uk' -b 'cn=Users,dc=domain,dc=co,dc=uk' -H ldap://192.168.x.x -W sAMAccountName=dummy

I've noticed that all of those who cannot log in are missing msSFU30Name and msDS-SupportedEncryptionTypes attributes.

I've added them to match settings for the successful users as below:


dn: CN=dummy2,CN=Users,DC=domain,DC=co,DC=uk
changetype: modify
add: msSFU30Name
msSFU30Name: dummy2
add: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 0

ldbmodify -H /var/lib/samba/private/sam.ldb dummy2.ldif -U dummy2
Modified 1 records successfully

Unfortunately it didn't help :(

Any ideas why?