Rowland penny
2020-Jul-23 19:15 UTC
[Samba] using samba-tool from a domain member other than the DC
On 23/07/2020 19:59, Jason Keltz via samba wrote:> Hi Rowland, > > ldap doesn't work for me either:It should.> >> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes >> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETERWhat OS is this ? You wrote this in earlier post: I'm running smbd on the? DC What do you mean by that? On a DC, you should start the 'samba' daemon and this will start 'smbd' & 'winbind' for you>> > That being said, I think I know why that doesn't work.? It's because > on the server, I haven't changed the default "ldap server require > strong auth = Yes" to "No".? That's because my team was very opposed > to this option due to the security implications.? We have other > services authenticating via ldaps. ? Unfortunately, smb.conf won't let > me enable "ldap server require strong auth" from only a certain IP.It should work, even with 'ldap server require strong auth = no' (the default)> > So without the ability to use ldaps, I guess I can't use samba-tool > from another host.? This is unfortunate. :(?? Should I be submitting a > bug report about ldaps not working?Not yet, Can you tell us what OS you are using (on the DC and Unix client) Can you post the smb.conf files from the DC and client. Rowland
Jason Keltz
2020-Jul-23 19:36 UTC
[Samba] using samba-tool from a domain member other than the DC
HI Rowland, Sorry if my original email wasn't clear. On the dc, I'm running samba (I said smbd - my error) and winbind .? I'm running CentOS 7.8 with a self-compiled Samba.? That's actually all working perfectly. krb5.conf: [libdefaults] ??????? default_realm = AD.EECS.YORKU.CA ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true smb.conf: # Global parameters [global] ??????? netbios name = <netbios name> ??????? realm = <realm address> ??????? workgroup = <workgroup name> ??????? dns forwarder = <dns forwarder ip> ??????? server role = active directory domain controller ??????? idmap_ldb:use rfc2307 = yes ??????? interfaces = 127.0.0.1 <ip of server> ??????? bind interfaces only = yes [netlogon] ??????? path = <my netlogon path> ??????? read only = no ??????? guest ok = no [sysvol] ??????? path = <my sysvol path> ??????? read only = no ??????? guest ok = no The client is another CentOS 7.8 machine.? It's been joined to the domain using "realm join" and using sssd ad module (no smbd).?? It has access to the identical Samba software from the DC.? Likewise, it's working perfectly.? I can login to the client, see all my users and groups from AD, etc. On the client, I have the same krb5.conf as above.? For smb.conf I have the following (I don't even really know if it's required but I highly suspect samba-tool is at least reading it): [global] ??????? workgroup =<workgroup name> ??????? security = ADS ??????? realm = <realm server name> I was under the impression that in order to use ldap:// URLs, on the DC smb.conf, you need to add "ldap server require strong auth = no".? You said the default is no, but at least in my configuration on the server it is "yes": # /xsys/pkg/samba/bin/testparm -v | grep strong Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions ??????? ldap server require strong auth = Yes ??????? require strong key = Yes I'm not permitted to set ldap server require strong auth = no. Ideally, samba-tool would work with ldaps, but if I can use samba-tool over ldap without having to set the require strong auth = no, then that would be great. Jason. On 7/23/2020 3:15 PM, Rowland penny via samba wrote:> On 23/07/2020 19:59, Jason Keltz via samba wrote: >> Hi Rowland, >> >> ldap doesn't work for me either: > It should. >> >>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes >>> Failed to bind - LDAP client internal error: >>> NT_STATUS_INVALID_PARAMETER > > What OS is this ? > > You wrote this in earlier post: > > I'm running smbd on the? DC > > What do you mean by that? > > On a DC, you should start the 'samba' daemon and this will start > 'smbd' & 'winbind' for you > >>> >> That being said, I think I know why that doesn't work.? It's because >> on the server, I haven't changed the default "ldap server require >> strong auth = Yes" to "No".? That's because my team was very opposed >> to this option due to the security implications.? We have other >> services authenticating via ldaps. ? Unfortunately, smb.conf won't >> let me enable "ldap server require strong auth" from only a certain IP. > It should work, even with 'ldap server require strong auth = no' (the > default) >> >> So without the ability to use ldaps, I guess I can't use samba-tool >> from another host.? This is unfortunate. :(?? Should I be submitting >> a bug report about ldaps not working? > > Not yet, Can you tell us what OS you are using (on the DC and Unix > client) > > Can you post the smb.conf files from the DC and client. > > Rowland > > > >
Rowland penny
2020-Jul-23 19:58 UTC
[Samba] using samba-tool from a domain member other than the DC
On 23/07/2020 20:36, Jason Keltz via samba wrote:> > > > On the client, I have the same krb5.conf as above.? For smb.conf I > have the following (I don't even really know if it's required but I > highly suspect samba-tool is at least reading it): > > [global] > ??????? workgroup =<workgroup name> > ??????? security = ADS > ??????? realm = <realm server name> > > I was under the impression that in order to use ldap:// URLs, on the > DC smb.conf, you need to add "ldap server require strong auth = no".? > You said the default is no, but at least in my configuration on the > server it is "yes":OOPS, senior moment there ;-) The 'no' should have been 'yes' and it still works for me ;-)> > I'm not permitted to set ldap server require strong auth = no. > Ideally, samba-tool would work with ldaps, but if I can use samba-tool > over ldap without having to set the require strong auth = no, then > that would be great.You should be able to use samba-tool with kerberos: rowland at devstation:~$ samba-tool user list -H ldap://dc01.samdom.example.com -k yes -d5 < snipped for brevity > Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire in 33327 secs gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically signed <LONG LIST OF USERS> This is from a domain joined Unix client and 'rowland' has a valid kerberos ticket. The client is running nmbd, smbd and winbind. You say that you are running sssd, we cannot help you with this, we do not produce sssd etc. Rowland
Reasonably Related Threads
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC
- using samba-tool from a domain member other than the DC