samba - Jul 2020 - using samba-tool from a domain member other than the DC

Hi.

I have a Samba AD DC setup that is working well.? I want to be able to 
use "samba-tool" from another Linux host that is a member of the
domain
(eg. my host).? I've looked at page after page online, and can't seem to
figure out how to make this work.

On the domain member I did:

kinit Administrator

I'm asked for the domain admin password and it's accepted, then I 
thought I could just do:

samba-tool user list -k yes

... but samba tries to read the users from local TDB files which of 
course don't exist on the host since it's an AD member, and not the DC.

I tried adding: -H ldaps://dc.server.com after copying in the proper 
auto generated keys from the samba DC to the domain member, but that 
didn't work either.? Now I have:

Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
Failed to connect to 'ldaps://dc1.eecs.yorku.ca' with backend
'ldaps':
LDAP client internal error: NT_STATUS_UNSUCCESSFUL
ERROR(ldb): uncaught exception - LDAP client internal error: 
NT_STATUS_UNSUCCESSFUL

Any ideas?? I must be close.

Jason.

Hi.

I left off from my original question...

I've joined the domain using "realm join", and am not using
winbind.

I'm looking for the minimal configuration I need to have in smb.conf to 
be able to run samba-tool from a domain member.

My /etc/krb5.conf contains:

[libdefaults]

default_realm = <my realm>

dns_lookup_realm = false

dns_lookup_kdc = true

My /etc/smb.conf contains minimal:

[global]

workgroup=<my workgroup>

security=ADS

realm=<my realm>

Have I missed providing some detail?

Do I need to be running smbd to be able to use samba-tool from a domain 
member?

Is nobody else using samba-tool from outside their DC that might be able 
to suggest why this doesn't work?

Thanks,

Jason.

On 7/22/2020 9:20 PM, Jason Keltz via samba wrote:
> Hi.
>
> I have a Samba AD DC setup that is working well.? I want to be able to 
> use "samba-tool" from another Linux host that is a member of the 
> domain (eg. my host).? I've looked at page after page online, and 
> can't seem to figure out how to make this work.
>
> On the domain member I did:
>
> kinit Administrator
>
> I'm asked for the domain admin password and it's accepted, then I 
> thought I could just do:
>
> samba-tool user list -k yes
>
> ... but samba tries to read the users from local TDB files which of 
> course don't exist on the host since it's an AD member, and not the
DC.
>
> I tried adding: -H ldaps://dc.server.com after copying in the proper 
> auto generated keys from the samba DC to the domain member, but that 
> didn't work either.? Now I have:
>
> Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> Failed to connect to 'ldaps://dc1.eecs.yorku.ca' with backend
'ldaps':
> LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> ERROR(ldb): uncaught exception - LDAP client internal error: 
> NT_STATUS_UNSUCCESSFUL
>
> Any ideas?? I must be close.
>
> Jason.
>
>
-- 
Jason Keltz
Manager of Development
Department of Electrical Engineering & Computer Science
York University, Toronto, Canada
Tel: 416-736-2100 x. 33570
Fax: 416-736-5872

On 23/07/2020 18:42, Jason Keltz via samba wrote:
> Hi.
>
> I left off from my original question...
>
> I've joined the domain using "realm join", and am not using
winbind.
>
> I'm looking for the minimal configuration I need to have in smb.conf 
> to be able to run samba-tool from a domain member.
>
> My /etc/krb5.conf contains:
>
> [libdefaults]
>
> default_realm = <my realm>
>
> dns_lookup_realm = false
>
> dns_lookup_kdc = true
>
> My /etc/smb.conf contains minimal:
>
> [global]
>
> workgroup=<my workgroup>
>
> security=ADS
>
> realm=<my realm>
>
> Have I missed providing some detail?
>
> Do I need to be running smbd to be able to use samba-tool from a 
> domain member?
>
> Is nobody else using samba-tool from outside their DC that might be 
> able to suggest why this doesn't work?
>
> Thanks,
>
> Jason.
Not sure, I have never tried it. From the sound of it, you are not 
running any of the Samba daemons, so why do you need samba-tool ?

Using samba-tool from a Samba domain member does work, it is just ldaps 
that doesn't seem to work for myself, probably because of an incorrect 
incantation ;-)

Rowland

On Wed, 2020-07-22 at 21:20 -0400, Jason Keltz via samba
wrote:
> Hi.
> 
> I have a Samba AD DC setup that is working well.  I want to be able
> to 
> use "samba-tool" from another Linux host that is a member of the
> domain 
> (eg. my host).  I've looked at page after page online, and can't
seem
> to 
> figure out how to make this work.
> 
> On the domain member I did:
> 
> kinit Administrator
> 
> I'm asked for the domain admin password and it's accepted, then I 
> thought I could just do:
> 
> samba-tool user list -k yes
> 
> ... but samba tries to read the users from local TDB files which of 
> course don't exist on the host since it's an AD member, and not the
> DC.
> 
> I tried adding: -H ldaps://dc.server.com after copying in the proper 
> auto generated keys from the samba DC to the domain member, but that 
> didn't work either.  Now I have:
> 
> Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> Failed to connect to 'ldaps://dc1.eecs.yorku.ca' with backend
> 'ldaps': 
> LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> ERROR(ldb): uncaught exception - LDAP client internal error: 
> NT_STATUS_UNSUCCESSFUL
> 
> Any ideas?  I must be close.
Try with ldap:// not ldaps:// 

Kerberos and all other SASL secured connections over LDAPS are a
problem due to the lack of channel bindings (something we are trying to
fix), the protection provided by Kerberos directly is actually
superior.

My guess is that the server is rejecting it due to the setting of 
'ldap server require strong auth'.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba