samba - Jul 2020 - using samba-tool from a domain member other than the DC

On 23/07/2020 19:59, Jason Keltz via samba wrote:
> Hi Rowland,
>
> ldap doesn't work for me either:
It should.
>
>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>> Failed to bind - LDAP client internal error:
NT_STATUS_INVALID_PARAMETER
What OS is this ?

You wrote this in earlier post:

I'm running smbd on the? DC

What do you mean by that?

On a DC, you should start the 'samba' daemon and this will start
'smbd'
& 'winbind' for you
>>
> That being said, I think I know why that doesn't work.? It's
because
> on the server, I haven't changed the default "ldap server require 
> strong auth = Yes" to "No".? That's because my team was
very opposed
> to this option due to the security implications.? We have other 
> services authenticating via ldaps. ? Unfortunately, smb.conf won't let 
> me enable "ldap server require strong auth" from only a certain
IP.
It should work, even with 'ldap server require strong auth = no' (the 
default)
>
> So without the ability to use ldaps, I guess I can't use samba-tool 
> from another host.? This is unfortunate. :(?? Should I be submitting a 
> bug report about ldaps not working?
Not yet, Can you tell us what OS you are using (on the DC and Unix client)

Can you post the smb.conf files from the DC and client.

Rowland

HI Rowland,

Sorry if my original email wasn't clear.

On the dc, I'm running samba (I said smbd - my error) and winbind .? I'm
running CentOS 7.8 with a self-compiled Samba.? That's actually all 
working perfectly.

krb5.conf:

[libdefaults]
 ??????? default_realm = AD.EECS.YORKU.CA
 ??????? dns_lookup_realm = false
 ??????? dns_lookup_kdc = true

smb.conf:

# Global parameters
[global]
 ??????? netbios name = <netbios name>
 ??????? realm = <realm address>
 ??????? workgroup = <workgroup name>
 ??????? dns forwarder = <dns forwarder ip>
 ??????? server role = active directory domain controller
 ??????? idmap_ldb:use rfc2307 = yes
 ??????? interfaces = 127.0.0.1 <ip of server>
 ??????? bind interfaces only = yes

[netlogon]
 ??????? path = <my netlogon path>
 ??????? read only = no
 ??????? guest ok = no

[sysvol]
 ??????? path = <my sysvol path>
 ??????? read only = no
 ??????? guest ok = no

The client is another CentOS 7.8 machine.? It's been joined to the 
domain using "realm join" and using sssd ad module (no smbd).?? It has
access to the identical Samba software from the DC.? Likewise, it's 
working perfectly.? I can login to the client, see all my users and 
groups from AD, etc.

On the client, I have the same krb5.conf as above.? For smb.conf I have 
the following (I don't even really know if it's required but I highly 
suspect samba-tool is at least reading it):

[global]
 ??????? workgroup =<workgroup name>
 ??????? security = ADS
 ??????? realm = <realm server name>

I was under the impression that in order to use ldap:// URLs, on the DC 
smb.conf, you need to add "ldap server require strong auth = no".? You
said the default is no, but at least in my configuration on the server 
it is "yes":

# /xsys/pkg/samba/bin/testparm -v | grep strong
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

 ??????? ldap server require strong auth = Yes
 ??????? require strong key = Yes

I'm not permitted to set ldap server require strong auth = no. Ideally, 
samba-tool would work with ldaps, but if I can use samba-tool over ldap 
without having to set the require strong auth = no, then that would be 
great.

Jason.

On 7/23/2020 3:15 PM, Rowland penny via samba wrote:
> On 23/07/2020 19:59, Jason Keltz via samba wrote:
>> Hi Rowland,
>>
>> ldap doesn't work for me either:
> It should.
>>
>>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>>> Failed to bind - LDAP client internal error: 
>>> NT_STATUS_INVALID_PARAMETER
>
> What OS is this ?
>
> You wrote this in earlier post:
>
> I'm running smbd on the? DC
>
> What do you mean by that?
>
> On a DC, you should start the 'samba' daemon and this will start 
> 'smbd' & 'winbind' for you
>
>>>
>> That being said, I think I know why that doesn't work.? It's
because
>> on the server, I haven't changed the default "ldap server
require
>> strong auth = Yes" to "No".? That's because my team
was very opposed
>> to this option due to the security implications.? We have other 
>> services authenticating via ldaps. ? Unfortunately, smb.conf won't 
>> let me enable "ldap server require strong auth" from only a
certain IP.
> It should work, even with 'ldap server require strong auth = no'
(the
> default)
>>
>> So without the ability to use ldaps, I guess I can't use samba-tool
>> from another host.? This is unfortunate. :(?? Should I be submitting 
>> a bug report about ldaps not working?
>
> Not yet, Can you tell us what OS you are using (on the DC and Unix 
> client)
>
> Can you post the smb.conf files from the DC and client.
>
> Rowland
>
>
>
>

On 23/07/2020 20:36, Jason Keltz via samba wrote:
>
>
>
> On the client, I have the same krb5.conf as above.? For smb.conf I 
> have the following (I don't even really know if it's required but I
> highly suspect samba-tool is at least reading it):
>
> [global]
> ??????? workgroup =<workgroup name>
> ??????? security = ADS
> ??????? realm = <realm server name>
>
> I was under the impression that in order to use ldap:// URLs, on the 
> DC smb.conf, you need to add "ldap server require strong auth =
no".?
> You said the default is no, but at least in my configuration on the 
> server it is "yes":
OOPS, senior moment there ;-)

The 'no' should have been 'yes' and it still works for me ;-)
>
> I'm not permitted to set ldap server require strong auth = no. 
> Ideally, samba-tool would work with ldaps, but if I can use samba-tool 
> over ldap without having to set the require strong auth = no, then 
> that would be great.
You should be able to use samba-tool with kerberos:

rowland at devstation:~$ samba-tool user list -H 
ldap://dc01.samdom.example.com -k yes -d5
< snipped for brevity >
Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire 
in 33327 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
<LONG LIST OF USERS>

This is from a domain joined Unix client and 'rowland' has a valid 
kerberos ticket.

The client is running nmbd, smbd and winbind.

You say that you are running sssd, we cannot help you with this, we do 
not produce sssd etc.

Rowland