Hi Andrew, I don't understand why 2 systems running the exact same version of Samba have different behaviour. Is this an option I can disable? regards, John On 19/04/16 11:29, Andrew Bartlett wrote:> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote: >> I'm setting up a test domain in order to try out Sudoers LDAP and >> have >> run into a problem that has my puzzled. On our production domain I >> can >> run a query such as: >> >> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b >> "dc=ourdomain,dc=com,dc=au" -s sub >> >> However, running an equivalent search on a freshly installed test >> domain, using the exact same version of Samba and the same smb.conf >> (with appropriate domain adjustments), I get the following error: >> >> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) >> additional info: SASL:[NTLM]: Sign or Seal are required. >> >> I believe this is the problem behind sssd not working on the test >> domain >> client, which I need to get working before I can proceed. >> >> To the best of my recollection, we have never done anything special >> to >> the production domain to allow such queries. What have I missed? > With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we > require that the LDAP session be cryptographically signed, not just set > up securely, so as to prevent MITM attacks on the subsequent data > stream. > > This is controlled by "ldap server require strong auth". > > ldapsearch should be doing this for you, but I can't see any extra > options to suggest in the manpage. > > Sorry, > > Andrew Bartlett >
Hi,
testparm -v | grep 'ldap serve'
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
ldap server require strong auth = Yes
Here I would try to set :
ldap server require strong auth = No
in smb.conf.
2016-04-19 3:36 GMT+02:00 John Gardeniers <jgardeniers at
objectmastery.com>:
> Hi Andrew,
>
> I don't understand why 2 systems running the exact same version of
Samba
> have different behaviour. Is this an option I can disable?
>
> regards,
> John
>
>
>
> On 19/04/16 11:29, Andrew Bartlett wrote:
>
>> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:
>>
>>> I'm setting up a test domain in order to try out Sudoers LDAP
and
>>> have
>>> run into a problem that has my puzzled. On our production domain I
>>> can
>>> run a query such as:
>>>
>>> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL
-b
>>> "dc=ourdomain,dc=com,dc=au" -s sub
>>>
>>> However, running an equivalent search on a freshly installed test
>>> domain, using the exact same version of Samba and the same smb.conf
>>> (with appropriate domain adjustments), I get the following error:
>>>
>>> ldap_sasl_interactive_bind_s: Strong(er) authentication required
(8)
>>> additional info: SASL:[NTLM]: Sign or Seal are required.
>>>
>>> I believe this is the problem behind sssd not working on the test
>>> domain
>>> client, which I need to get working before I can proceed.
>>>
>>> To the best of my recollection, we have never done anything special
>>> to
>>> the production domain to allow such queries. What have I missed?
>>>
>> With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we
>> require that the LDAP session be cryptographically signed, not just set
>> up securely, so as to prevent MITM attacks on the subsequent data
>> stream.
>>
>> This is controlled by "ldap server require strong auth".
>>
>> ldapsearch should be doing this for you, but I can't see any extra
>> options to suggest in the manpage.
>>
>> Sorry,
>>
>> Andrew Bartlett
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Hi Mathias, Thank you. Although my smb.conf had no entry for ldap, adding "ldap server require strong auth = No" did indeed fix the problem. regards, John On 19/04/16 18:09, mathias dufresne wrote:> Hi, > > testparm -v | grep 'ldap serve' > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[netlogon]" > Processing section "[sysvol]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > ldap server require strong auth = Yes > > Here I would try to set : > ldap server require strong auth = No > in smb.conf. > > > 2016-04-19 3:36 GMT+02:00 John Gardeniers <jgardeniers at objectmastery.com>: > >> Hi Andrew, >> >> I don't understand why 2 systems running the exact same version of Samba >> have different behaviour. Is this an option I can disable? >> >> regards, >> John >> >> >> >> On 19/04/16 11:29, Andrew Bartlett wrote: >> >>> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote: >>> >>>> I'm setting up a test domain in order to try out Sudoers LDAP and >>>> have >>>> run into a problem that has my puzzled. On our production domain I >>>> can >>>> run a query such as: >>>> >>>> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b >>>> "dc=ourdomain,dc=com,dc=au" -s sub >>>> >>>> However, running an equivalent search on a freshly installed test >>>> domain, using the exact same version of Samba and the same smb.conf >>>> (with appropriate domain adjustments), I get the following error: >>>> >>>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) >>>> additional info: SASL:[NTLM]: Sign or Seal are required. >>>> >>>> I believe this is the problem behind sssd not working on the test >>>> domain >>>> client, which I need to get working before I can proceed. >>>> >>>> To the best of my recollection, we have never done anything special >>>> to >>>> the production domain to allow such queries. What have I missed? >>>> >>> With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we >>> require that the LDAP session be cryptographically signed, not just set >>> up securely, so as to prevent MITM attacks on the subsequent data >>> stream. >>> >>> This is controlled by "ldap server require strong auth". >>> >>> ldapsearch should be doing this for you, but I can't see any extra >>> options to suggest in the manpage. >>> >>> Sorry, >>> >>> Andrew Bartlett >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>