[Samba] Ldapsearch against Samba 4

Rowland penny rpenny at samba.org
Tue Apr 19 08:30:33 UTC 2016

On 19/04/16 01:29, John Gardeniers wrote:
> I'm setting up a test domain in order to try out Sudoers LDAP and have 
> run into a problem that has my puzzled. On our production domain I can 
> run a query such as:
> ldapsearch  -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b 
> "dc=ourdomain,dc=com,dc=au" -s sub

Try using ldbsearch instead:

ldbsearch -H ldap://dc1 -Ume -b "dc=ourdomain,dc=com,dc=au" -s sub

Or with kerberos (run kinit & klist to get correct ticket cache)

ldbsearch -H ldap://DC -Ume -k yes 
--krb5-ccache=/tmp/krb5cc_10000_VzsXW8 -b "dc=ourdomain,dc=com,dc=au" -s sub

> However, running an equivalent search on a freshly installed test 
> domain, using the exact same version of Samba and the same smb.conf 
> (with appropriate domain adjustments), I get the following error:
> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>     additional info: SASL:[NTLM]: Sign or Seal are required.
> I believe this is the problem behind sssd not working on the test 
> domain client, which I need to get working before I can proceed.

You do know that you don't need to use sssd to get sudo working with AD, 
don't you ?


> To the best of my recollection, we have never done anything special to 
> the production domain to allow such queries. What have I missed?
> regards,
> John

More information about the samba mailing list