Rowland penny
2020-Jul-23 18:45 UTC
[Samba] using samba-tool from a domain member other than the DC
On 23/07/2020 19:31, Jason Keltz via samba wrote:> Hi Rowland, > > I'm running smbd on the? DC.? I want to be able to do things like > adding a user, dns entry, etc. from my workstation without logging > into the DC. > > I can't get samba-tool to work with Kerberos, or ldaps, etc.As I said, I cannot get ldaps to work (yet), but: rowland at devstation:~$ sudo samba-tool group add newgroup -H ldap://dc01.samdom.example.com -k yes [sudo] password for rowland: Added group newgroup 'devstation' isn't a DC ;-) Rowland
Jason Keltz
2020-Jul-23 18:59 UTC
[Samba] using samba-tool from a domain member other than the DC
Hi Rowland, ldap doesn't work for me either:> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER > Failed to connect to 'ldap://dc01.samdom.example.com' with backend > 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER > ERROR(ldb): uncaught exception - LDAP client internal error: > NT_STATUS_INVALID_PARAMETER > ? File > "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/__init__.py", > line 185, in _run > ??? return self.run(*args, **kwargs) > ? File > "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/user.py", > line 534, in run > ??? samdb = SamDB(url=H, session_info=system_session(), > ? File > "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", > line 65, in __init__ > ??? super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir, > ? File > "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/__init__.py", > line 115, in __init__ > ??? self.connect(url, flags, options) > ? File > "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", > line 81, in connect > ??? super(SamDB, self).connect(url=url, flags=flags,That being said, I think I know why that doesn't work.? It's because on the server, I haven't changed the default "ldap server require strong auth = Yes" to "No".? That's because my team was very opposed to this option due to the security implications.? We have other services authenticating via ldaps. ? Unfortunately, smb.conf won't let me enable "ldap server require strong auth" from only a certain IP. So without the ability to use ldaps, I guess I can't use samba-tool from another host.? This is unfortunate. :(?? Should I be submitting a bug report about ldaps not working? Jason. On 7/23/2020 2:45 PM, Rowland penny via samba wrote:> On 23/07/2020 19:31, Jason Keltz via samba wrote: >> Hi Rowland, >> >> I'm running smbd on the? DC.? I want to be able to do things like >> adding a user, dns entry, etc. from my workstation without logging >> into the DC. >> >> I can't get samba-tool to work with Kerberos, or ldaps, etc. > > As I said, I cannot get ldaps to work (yet), but: > > rowland at devstation:~$ sudo samba-tool group add newgroup -H > ldap://dc01.samdom.example.com -k yes > [sudo] password for rowland: > Added group newgroup > > 'devstation' isn't a DC ;-) > > Rowland > > >
Rowland penny
2020-Jul-23 19:15 UTC
[Samba] using samba-tool from a domain member other than the DC
On 23/07/2020 19:59, Jason Keltz via samba wrote:> Hi Rowland, > > ldap doesn't work for me either:It should.> >> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes >> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETERWhat OS is this ? You wrote this in earlier post: I'm running smbd on the? DC What do you mean by that? On a DC, you should start the 'samba' daemon and this will start 'smbd' & 'winbind' for you>> > That being said, I think I know why that doesn't work.? It's because > on the server, I haven't changed the default "ldap server require > strong auth = Yes" to "No".? That's because my team was very opposed > to this option due to the security implications.? We have other > services authenticating via ldaps. ? Unfortunately, smb.conf won't let > me enable "ldap server require strong auth" from only a certain IP.It should work, even with 'ldap server require strong auth = no' (the default)> > So without the ability to use ldaps, I guess I can't use samba-tool > from another host.? This is unfortunate. :(?? Should I be submitting a > bug report about ldaps not working?Not yet, Can you tell us what OS you are using (on the DC and Unix client) Can you post the smb.conf files from the DC and client. Rowland
Gregory Sloop
2020-Jul-23 19:20 UTC
[Samba] using samba-tool from a domain member other than the DC
Top posting. Is this in freenas jail, perhaps? If so, I'd take a long hard look at the underlying environment. Semi off-topic. FreeNAS on FreeBSD has a whole set of really weird issues, IMO. For example; I was trying to get rsync or rdiff-backup to run [not in a jail, but just in the base context] and performance was really terrible and it would bomb for larger file syncs to a remote Linux host. I thought there was some other problem - other than FN, but really couldn't find any logs or other detail that might explain why, easily. So, I simply powered up a Ubuntu VM on another box and attempted the same syncs - and performance was an order of magnitude greater. (IIRC, it might even have been TWO orders of magnitude. It was really massive, whatever the case.) The more I've dug into FBSD and freenas, I've been continually frustrated at odd behavior and other issues. ...like [IIRC, it's been a while] the smbclient in FreeNAS doesn't support anything but SMB1 (which is almost useless, now). Sure there's ways around that, but they're all additional pain-points. I'd resolved to moving away from FreeNAS entirely, some time ago - but see they're working to make the "community" edition run on, IIRC, debian based Linux. Perhaps that's likely to ease some of these issues. If so, I might re-consider. But it's far from a given. [And this coming from the guy who ran a self-hosted web-server way back in the early-mid 90's on BSD. I knew absolutely nothing back then, but was impressed with BSD. So, it's not like I've got some kind of hidden hate for BSD.] -Greg JKvs> Hi Rowland, JKvs> ldap doesn't work for me either:>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes >> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> Failed to connect to 'ldap://dc01.samdom.example.com' with backend >> 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER >> ERROR(ldb): uncaught exception - LDAP client internal error: >> NT_STATUS_INVALID_PARAMETER >> File >> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/__init__.py", >> line 185, in _run >> return self.run(*args, **kwargs) >> File >> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/user.py", >> line 534, in run >> samdb = SamDB(url=H, session_info=system_session(), >> File >> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", >> line 65, in __init__ >> super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir, >> File >> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/__init__.py", >> line 115, in __init__ >> self.connect(url, flags, options) >> File >> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", >> line 81, in connect >> super(SamDB, self).connect(url=url, flags=flags,JKvs> That being said, I think I know why that doesn't work. It's because on JKvs> the server, I haven't changed the default "ldap server require strong JKvs> auth = Yes" to "No". That's because my team was very opposed to this JKvs> option due to the security implications. We have other services JKvs> authenticating via ldaps. Unfortunately, smb.conf won't let me enable JKvs> "ldap server require strong auth" from only a certain IP. JKvs> So without the ability to use ldaps, I guess I can't use samba-tool from JKvs> another host. This is unfortunate. :( Should I be submitting a bug JKvs> report about ldaps not working? JKvs> Jason. JKvs> On 7/23/2020 2:45 PM, Rowland penny via samba wrote:>> On 23/07/2020 19:31, Jason Keltz via samba wrote: >>> Hi Rowland,>>> I'm running smbd on the DC. I want to be able to do things like >>> adding a user, dns entry, etc. from my workstation without logging >>> into the DC.>>> I can't get samba-tool to work with Kerberos, or ldaps, etc.>> As I said, I cannot get ldaps to work (yet), but:>> rowland at devstation:~$ sudo samba-tool group add newgroup -H >> ldap://dc01.samdom.example.com -k yes >> [sudo] password for rowland: >> Added group newgroup>> 'devstation' isn't a DC ;-)>> Rowland
Possibly Parallel Threads
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC