[Samba] Ldapsearch against Samba 4

[Andrew Bartlett]

On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:
> I'm setting up a test domain in order to try out Sudoers LDAP and
> have 
> run into a problem that has my puzzled. On our production domain I
> can 
> run a query such as:
> 
> ldapsearch  -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b 
> "dc=ourdomain,dc=com,dc=au" -s sub
> 
> However, running an equivalent search on a freshly installed test 
> domain, using the exact same version of Samba and the same smb.conf 
> (with appropriate domain adjustments), I get the following error:
> 
> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>      additional info: SASL:[NTLM]: Sign or Seal are required.
> 
> I believe this is the problem behind sssd not working on the test
> domain 
> client, which I need to get working before I can proceed.
> 
> To the best of my recollection, we have never done anything special
> to 
> the production domain to allow such queries. What have I missed?

With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we
require that the LDAP session be cryptographically signed, not just set
up securely, so as to prevent MITM attacks on the subsequent data
stream.

This is controlled by "ldap server require strong auth".

ldapsearch should be doing this for you, but I can't see any extra
options to suggest in the manpage.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba