[Samba] Ldapsearch against Samba 4

mathias dufresne infractory at gmail.com
Tue Apr 19 14:41:36 UTC 2016

First of all SSSD, Winbind and nslcd are used by PAM which is a system tool.

LDAP is a network protocol, no need of working SSSD/Winbind/coffeeMachine.
You don't even need the client is joined to the domain. Your smartphone
would do if you get ldap client on it.

Here: samba as DC, version is 4.4.2.
"ldap server require strong auth" is set to "Yes" (default value actually)

The following ldapsearch is working.

Here is the command I use to deal with my DC using ldapsearch, ldapmodify
and others. Only few things change between these tools, they come from same

ldapsearch -h DC034 \
 -D "CN=Administrator,CN=Users,DC=ad,DC=domain,DC=tld" \
 -w "securePass?" \
 -b "DC=ad,DC=domain,DC=tld" \
 -s sub \
 -x -ZZ -LLL \
 "(cn=administrator)" dn sAMAccountName

Last line is the search pattern + filters.
Just before last line is how ldapsearch would authenticate against the LDAP
Before: no need to explain.

2016-04-19 10:30 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 19/04/16 01:29, John Gardeniers wrote:
>> I'm setting up a test domain in order to try out Sudoers LDAP and have
>> run into a problem that has my puzzled. On our production domain I can run
>> a query such as:
>> ldapsearch  -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
>> "dc=ourdomain,dc=com,dc=au" -s sub
> Try using ldbsearch instead:
> ldbsearch -H ldap://dc1 -Ume -b "dc=ourdomain,dc=com,dc=au" -s sub
> Or with kerberos (run kinit & klist to get correct ticket cache)
> ldbsearch -H ldap://DC -Ume -k yes --krb5-ccache=/tmp/krb5cc_10000_VzsXW8
> -b "dc=ourdomain,dc=com,dc=au" -s sub
> However, running an equivalent search on a freshly installed test domain,
>> using the exact same version of Samba and the same smb.conf (with
>> appropriate domain adjustments), I get the following error:
>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>>     additional info: SASL:[NTLM]: Sign or Seal are required.
>> I believe this is the problem behind sssd not working on the test domain
>> client, which I need to get working before I can proceed.
> You do know that you don't need to use sssd to get sudo working with AD,
> don't you ?
> Rowland
> To the best of my recollection, we have never done anything special to the
>> production domain to allow such queries. What have I missed?
>> regards,
>> John
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list