[Samba] Ldapsearch against Samba 4
infractory at gmail.com
Tue Apr 19 14:41:36 UTC 2016
First of all SSSD, Winbind and nslcd are used by PAM which is a system tool.
LDAP is a network protocol, no need of working SSSD/Winbind/coffeeMachine.
You don't even need the client is joined to the domain. Your smartphone
would do if you get ldap client on it.
Here: samba as DC, version is 4.4.2.
"ldap server require strong auth" is set to "Yes" (default value actually)
The following ldapsearch is working.
Here is the command I use to deal with my DC using ldapsearch, ldapmodify
and others. Only few things change between these tools, they come from same
ldapsearch -h DC034 \
-D "CN=Administrator,CN=Users,DC=ad,DC=domain,DC=tld" \
-w "securePass?" \
-b "DC=ad,DC=domain,DC=tld" \
-s sub \
-x -ZZ -LLL \
"(cn=administrator)" dn sAMAccountName
Last line is the search pattern + filters.
Just before last line is how ldapsearch would authenticate against the LDAP
Before: no need to explain.
2016-04-19 10:30 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 19/04/16 01:29, John Gardeniers wrote:
>> I'm setting up a test domain in order to try out Sudoers LDAP and have
>> run into a problem that has my puzzled. On our production domain I can run
>> a query such as:
>> ldapsearch -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
>> "dc=ourdomain,dc=com,dc=au" -s sub
> Try using ldbsearch instead:
> ldbsearch -H ldap://dc1 -Ume -b "dc=ourdomain,dc=com,dc=au" -s sub
> Or with kerberos (run kinit & klist to get correct ticket cache)
> ldbsearch -H ldap://DC -Ume -k yes --krb5-ccache=/tmp/krb5cc_10000_VzsXW8
> -b "dc=ourdomain,dc=com,dc=au" -s sub
> However, running an equivalent search on a freshly installed test domain,
>> using the exact same version of Samba and the same smb.conf (with
>> appropriate domain adjustments), I get the following error:
>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>> additional info: SASL:[NTLM]: Sign or Seal are required.
>> I believe this is the problem behind sssd not working on the test domain
>> client, which I need to get working before I can proceed.
> You do know that you don't need to use sssd to get sudo working with AD,
> don't you ?
> To the best of my recollection, we have never done anything special to the
>> production domain to allow such queries. What have I missed?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba