[Samba] Ldapsearch against Samba 4

mathias dufresne infractory at gmail.com
Tue Apr 19 08:09:38 UTC 2016


testparm -v | grep 'ldap serve'
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.

Press enter to see a dump of your service definitions

        ldap server require strong auth = Yes

Here I would try to set :
        ldap server require strong auth = No
in smb.conf.

2016-04-19 3:36 GMT+02:00 John Gardeniers <jgardeniers at objectmastery.com>:

> Hi Andrew,
> I don't understand why 2 systems running the exact same version of Samba
> have different behaviour. Is this an option I can disable?
> regards,
> John
> On 19/04/16 11:29, Andrew Bartlett wrote:
>> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:
>>> I'm setting up a test domain in order to try out Sudoers LDAP and
>>> have
>>> run into a problem that has my puzzled. On our production domain I
>>> can
>>> run a query such as:
>>> ldapsearch  -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
>>> "dc=ourdomain,dc=com,dc=au" -s sub
>>> However, running an equivalent search on a freshly installed test
>>> domain, using the exact same version of Samba and the same smb.conf
>>> (with appropriate domain adjustments), I get the following error:
>>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>>>       additional info: SASL:[NTLM]: Sign or Seal are required.
>>> I believe this is the problem behind sssd not working on the test
>>> domain
>>> client, which I need to get working before I can proceed.
>>> To the best of my recollection, we have never done anything special
>>> to
>>> the production domain to allow such queries. What have I missed?
>> With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we
>> require that the LDAP session be cryptographically signed, not just set
>> up securely, so as to prevent MITM attacks on the subsequent data
>> stream.
>> This is controlled by "ldap server require strong auth".
>> ldapsearch should be doing this for you, but I can't see any extra
>> options to suggest in the manpage.
>> Sorry,
>> Andrew Bartlett
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list