[Samba] Ldapsearch against Samba 4
John Gardeniers
jgardeniers at objectmastery.com
Tue Apr 19 01:36:44 UTC 2016
Hi Andrew,
I don't understand why 2 systems running the exact same version of Samba
have different behaviour. Is this an option I can disable?
regards,
John
On 19/04/16 11:29, Andrew Bartlett wrote:
> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:
>> I'm setting up a test domain in order to try out Sudoers LDAP and
>> have
>> run into a problem that has my puzzled. On our production domain I
>> can
>> run a query such as:
>>
>> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
>> "dc=ourdomain,dc=com,dc=au" -s sub
>>
>> However, running an equivalent search on a freshly installed test
>> domain, using the exact same version of Samba and the same smb.conf
>> (with appropriate domain adjustments), I get the following error:
>>
>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>> additional info: SASL:[NTLM]: Sign or Seal are required.
>>
>> I believe this is the problem behind sssd not working on the test
>> domain
>> client, which I need to get working before I can proceed.
>>
>> To the best of my recollection, we have never done anything special
>> to
>> the production domain to allow such queries. What have I missed?
> With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we
> require that the LDAP session be cryptographically signed, not just set
> up securely, so as to prevent MITM attacks on the subsequent data
> stream.
>
> This is controlled by "ldap server require strong auth".
>
> ldapsearch should be doing this for you, but I can't see any extra
> options to suggest in the manpage.
>
> Sorry,
>
> Andrew Bartlett
>
More information about the samba
mailing list