> On 8 Nov 2020, at 20:24, Rowland penny via samba <samba at lists.samba.org> wrote: >> ldbsearch does not work either: >> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)' >> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER > > I always shudder when I read Freebsd, jails and AD in the same sentence, it never seems to work ?It would be nice if it did though :)> You do have what appears to be a mistake in your ldbsearch command, you have 'beger/darius', it should be 'BEGER\\darius', note the forward slash replaced by two backslashes, one to escape the other.I tried that but no difference.> On Linux, provided you have (at least) this in /etc/krb5.conf: > > [libdefaults] > default_realm = BEGER.COM.AU > > and dns is set up correctly, then it should work.I have that in my krb5.conf, DNS does work as far as I can see (and kinit, klist etc work)> I know little about Freebsd jails, but if I understand them correctly, they are very similar to using a chroot on Linux and I wouldn't want to try and run a second DC in a chroot.Jails are pretty similar to chroot but more secure - like Linux containers. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum
On 08/11/2020 11:52, O'Connor, Daniel wrote:> >> On 8 Nov 2020, at 20:24, Rowland penny via samba <samba at lists.samba.org> wrote: >>> ldbsearch does not work either: >>> root at samba-addc:/ # samba-ldbsearch -H ldap://gateway2.beger.com.au -U beger/darius '(objectclass=person)' >>> Failed to connect to ldap URL 'ldap://gateway2.beger.com.au' - LDAP client internal error: NT_STATUS_INVALID_PARAMETER >>> Failed to connect to 'ldap://gateway2.beger.com.au' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> I always shudder when I read Freebsd, jails and AD in the same sentence, it never seems to work ? > It would be nice if it did though :) > >> You do have what appears to be a mistake in your ldbsearch command, you have 'beger/darius', it should be 'BEGER\\darius', note the forward slash replaced by two backslashes, one to escape the other. > I tried that but no difference. > >> On Linux, provided you have (at least) this in /etc/krb5.conf: >> >> [libdefaults] >> default_realm = BEGER.COM.AU >> >> and dns is set up correctly, then it should work. > I have that in my krb5.conf, DNS does work as far as I can see (and kinit, klist etc work) > >> I know little about Freebsd jails, but if I understand them correctly, they are very similar to using a chroot on Linux and I wouldn't want to try and run a second DC in a chroot. > Jails are pretty similar to chroot but more secure - like Linux containers. >Have you tried setting this up in a VM instead of a jail, if this works, it points to something to do with the jail, if it doesn't, then it points to a possible problem with Samba on Freebsd, or Samba itself. The latter isn't really likely, everything works on LInux, though this isn't much comfort to you. Rowland
> On 8 Nov 2020, at 22:49, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 08/11/2020 11:52, O'Connor, Daniel wrote: >>> I know little about Freebsd jails, but if I understand them correctly, they are very similar to using a chroot on Linux and I wouldn't want to try and run a second DC in a chroot. >> Jails are pretty similar to chroot but more secure - like Linux containers. >> > Have you tried setting this up in a VM instead of a jail, if this works, it points to something to do with the jail, if it doesn't, then it points to a possible problem with Samba on Freebsd, or Samba itself. The latter isn't really likely, everything works on LInux, though this isn't much comfort to you.It's not particularly urgent so it could be an opportunity to debug it. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum