[Samba] Ldapsearch against Samba 4

John Gardeniers jgardeniers at objectmastery.com
Tue Apr 19 01:36:44 UTC 2016

Hi Andrew,

I don't understand why 2 systems running the exact same version of Samba 
have different behaviour. Is this an option I can disable?


On 19/04/16 11:29, Andrew Bartlett wrote:
> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:
>> I'm setting up a test domain in order to try out Sudoers LDAP and
>> have
>> run into a problem that has my puzzled. On our production domain I
>> can
>> run a query such as:
>> ldapsearch  -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
>> "dc=ourdomain,dc=com,dc=au" -s sub
>> However, running an equivalent search on a freshly installed test
>> domain, using the exact same version of Samba and the same smb.conf
>> (with appropriate domain adjustments), I get the following error:
>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>>       additional info: SASL:[NTLM]: Sign or Seal are required.
>> I believe this is the problem behind sssd not working on the test
>> domain
>> client, which I need to get working before I can proceed.
>> To the best of my recollection, we have never done anything special
>> to
>> the production domain to allow such queries. What have I missed?
> With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we
> require that the LDAP session be cryptographically signed, not just set
> up securely, so as to prevent MITM attacks on the subsequent data
> stream.
> This is controlled by "ldap server require strong auth".
> ldapsearch should be doing this for you, but I can't see any extra
> options to suggest in the manpage.
> Sorry,
> Andrew Bartlett

More information about the samba mailing list