I'm setting up a test domain in order to try out Sudoers LDAP and have
run into a problem that has my puzzled. On our production domain I can
run a query such as:
ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
"dc=ourdomain,dc=com,dc=au" -s sub
However, running an equivalent search on a freshly installed test
domain, using the exact same version of Samba and the same smb.conf
(with appropriate domain adjustments), I get the following error:
ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
additional info: SASL:[NTLM]: Sign or Seal are required.
I believe this is the problem behind sssd not working on the test domain
client, which I need to get working before I can proceed.
To the best of my recollection, we have never done anything special to
the production domain to allow such queries. What have I missed?
regards,
John
On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:> I'm setting up a test domain in order to try out Sudoers LDAP and > have > run into a problem that has my puzzled. On our production domain I > can > run a query such as: > > ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b > "dc=ourdomain,dc=com,dc=au" -s sub > > However, running an equivalent search on a freshly installed test > domain, using the exact same version of Samba and the same smb.conf > (with appropriate domain adjustments), I get the following error: > > ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) > additional info: SASL:[NTLM]: Sign or Seal are required. > > I believe this is the problem behind sssd not working on the test > domain > client, which I need to get working before I can proceed. > > To the best of my recollection, we have never done anything special > to > the production domain to allow such queries. What have I missed?With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we require that the LDAP session be cryptographically signed, not just set up securely, so as to prevent MITM attacks on the subsequent data stream. This is controlled by "ldap server require strong auth". ldapsearch should be doing this for you, but I can't see any extra options to suggest in the manpage. Sorry, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Hi Andrew, I don't understand why 2 systems running the exact same version of Samba have different behaviour. Is this an option I can disable? regards, John On 19/04/16 11:29, Andrew Bartlett wrote:> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote: >> I'm setting up a test domain in order to try out Sudoers LDAP and >> have >> run into a problem that has my puzzled. On our production domain I >> can >> run a query such as: >> >> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b >> "dc=ourdomain,dc=com,dc=au" -s sub >> >> However, running an equivalent search on a freshly installed test >> domain, using the exact same version of Samba and the same smb.conf >> (with appropriate domain adjustments), I get the following error: >> >> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) >> additional info: SASL:[NTLM]: Sign or Seal are required. >> >> I believe this is the problem behind sssd not working on the test >> domain >> client, which I need to get working before I can proceed. >> >> To the best of my recollection, we have never done anything special >> to >> the production domain to allow such queries. What have I missed? > With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we > require that the LDAP session be cryptographically signed, not just set > up securely, so as to prevent MITM attacks on the subsequent data > stream. > > This is controlled by "ldap server require strong auth". > > ldapsearch should be doing this for you, but I can't see any extra > options to suggest in the manpage. > > Sorry, > > Andrew Bartlett >
On 19/04/16 01:29, John Gardeniers wrote:> I'm setting up a test domain in order to try out Sudoers LDAP and have > run into a problem that has my puzzled. On our production domain I can > run a query such as: > > ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b > "dc=ourdomain,dc=com,dc=au" -s sub >Try using ldbsearch instead: ldbsearch -H ldap://dc1 -Ume -b "dc=ourdomain,dc=com,dc=au" -s sub Or with kerberos (run kinit & klist to get correct ticket cache) ldbsearch -H ldap://DC -Ume -k yes --krb5-ccache=/tmp/krb5cc_10000_VzsXW8 -b "dc=ourdomain,dc=com,dc=au" -s sub> However, running an equivalent search on a freshly installed test > domain, using the exact same version of Samba and the same smb.conf > (with appropriate domain adjustments), I get the following error: > > ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) > additional info: SASL:[NTLM]: Sign or Seal are required. > > I believe this is the problem behind sssd not working on the test > domain client, which I need to get working before I can proceed. >You do know that you don't need to use sssd to get sudo working with AD, don't you ? Rowland> To the best of my recollection, we have never done anything special to > the production domain to allow such queries. What have I missed? > > regards, > John > >
First of all SSSD, Winbind and nslcd are used by PAM which is a system tool. LDAP is a network protocol, no need of working SSSD/Winbind/coffeeMachine. You don't even need the client is joined to the domain. Your smartphone would do if you get ldap client on it. Here: samba as DC, version is 4.4.2. "ldap server require strong auth" is set to "Yes" (default value actually) The following ldapsearch is working. Here is the command I use to deal with my DC using ldapsearch, ldapmodify and others. Only few things change between these tools, they come from same place. ldapsearch -h DC034 \ -D "CN=Administrator,CN=Users,DC=ad,DC=domain,DC=tld" \ -w "securePass?" \ -b "DC=ad,DC=domain,DC=tld" \ -s sub \ -x -ZZ -LLL \ "(cn=administrator)" dn sAMAccountName Last line is the search pattern + filters. Just before last line is how ldapsearch would authenticate against the LDAP tree. Before: no need to explain. 2016-04-19 10:30 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 19/04/16 01:29, John Gardeniers wrote: > >> I'm setting up a test domain in order to try out Sudoers LDAP and have >> run into a problem that has my puzzled. On our production domain I can run >> a query such as: >> >> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b >> "dc=ourdomain,dc=com,dc=au" -s sub >> >> > Try using ldbsearch instead: > > ldbsearch -H ldap://dc1 -Ume -b "dc=ourdomain,dc=com,dc=au" -s sub > > Or with kerberos (run kinit & klist to get correct ticket cache) > > ldbsearch -H ldap://DC -Ume -k yes --krb5-ccache=/tmp/krb5cc_10000_VzsXW8 > -b "dc=ourdomain,dc=com,dc=au" -s sub > > > > However, running an equivalent search on a freshly installed test domain, >> using the exact same version of Samba and the same smb.conf (with >> appropriate domain adjustments), I get the following error: >> >> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) >> additional info: SASL:[NTLM]: Sign or Seal are required. >> >> I believe this is the problem behind sssd not working on the test domain >> client, which I need to get working before I can proceed. >> >> > You do know that you don't need to use sssd to get sudo working with AD, > don't you ? > > Rowland > > > To the best of my recollection, we have never done anything special to the >> production domain to allow such queries. What have I missed? >> >> regards, >> John >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Rowland, Before I start with Sudoers LDAP I need to have the test system replicate our production system, hence the need for sssd and a working ldapsearch. Without that replicated capability any testing of new capability is pointless. The answer from Mathias Dufresne solved the ldapsearch problem. regards, John On 19/04/16 18:30, Rowland penny wrote:> On 19/04/16 01:29, John Gardeniers wrote: >> I'm setting up a test domain in order to try out Sudoers LDAP and >> have run into a problem that has my puzzled. On our production domain >> I can run a query such as: >> >> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b >> "dc=ourdomain,dc=com,dc=au" -s sub >> > > Try using ldbsearch instead: > > ldbsearch -H ldap://dc1 -Ume -b "dc=ourdomain,dc=com,dc=au" -s sub > > Or with kerberos (run kinit & klist to get correct ticket cache) > > ldbsearch -H ldap://DC -Ume -k yes > --krb5-ccache=/tmp/krb5cc_10000_VzsXW8 -b "dc=ourdomain,dc=com,dc=au" > -s sub > > > >> However, running an equivalent search on a freshly installed test >> domain, using the exact same version of Samba and the same smb.conf >> (with appropriate domain adjustments), I get the following error: >> >> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) >> additional info: SASL:[NTLM]: Sign or Seal are required. >> >> I believe this is the problem behind sssd not working on the test >> domain client, which I need to get working before I can proceed. >> > > You do know that you don't need to use sssd to get sudo working with > AD, don't you ? > > Rowland > >> To the best of my recollection, we have never done anything special >> to the production domain to allow such queries. What have I missed? >> >> regards, >> John >> >> > >