[Samba] Ldapsearch against Samba 4

John Gardeniers jgardeniers at objectmastery.com
Tue Apr 19 21:24:08 UTC 2016 

Hi Mathias,

Thank you. Although my smb.conf had no entry for ldap, adding "ldap 
server require strong auth = No" did indeed fix the problem.

regards,
John


On 19/04/16 18:09, mathias dufresne wrote:
> Hi,
>
> testparm -v | grep 'ldap serve'
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
>          ldap server require strong auth = Yes
>
> Here I would try to set :
>          ldap server require strong auth = No
> in smb.conf.
>
>
> 2016-04-19 3:36 GMT+02:00 John Gardeniers <jgardeniers at objectmastery.com>:
>
>> Hi Andrew,
>>
>> I don't understand why 2 systems running the exact same version of Samba
>> have different behaviour. Is this an option I can disable?
>>
>> regards,
>> John
>>
>>
>>
>> On 19/04/16 11:29, Andrew Bartlett wrote:
>>
>>> On Tue, 2016-04-19 at 10:29 +1000, John Gardeniers wrote:
>>>
>>>> I'm setting up a test domain in order to try out Sudoers LDAP and
>>>> have
>>>> run into a problem that has my puzzled. On our production domain I
>>>> can
>>>> run a query such as:
>>>>
>>>> ldapsearch  -LLL -p389 -h DC -u me at ourdomain.com.au -W -X -LLL -b
>>>> "dc=ourdomain,dc=com,dc=au" -s sub
>>>>
>>>> However, running an equivalent search on a freshly installed test
>>>> domain, using the exact same version of Samba and the same smb.conf
>>>> (with appropriate domain adjustments), I get the following error:
>>>>
>>>> ldap_sasl_interactive_bind_s: Strong(er) authentication required (8)
>>>>        additional info: SASL:[NTLM]: Sign or Seal are required.
>>>>
>>>> I believe this is the problem behind sssd not working on the test
>>>> domain
>>>> client, which I need to get working before I can proceed.
>>>>
>>>> To the best of my recollection, we have never done anything special
>>>> to
>>>> the production domain to allow such queries. What have I missed?
>>>>
>>> With the latest (4.4.{1,2}, 4.3.{7,8} and 4.2.{10,11}) releases, we
>>> require that the LDAP session be cryptographically signed, not just set
>>> up securely, so as to prevent MITM attacks on the subsequent data
>>> stream.
>>>
>>> This is controlled by "ldap server require strong auth".
>>>
>>> ldapsearch should be doing this for you, but I can't see any extra
>>> options to suggest in the manpage.
>>>
>>> Sorry,
>>>
>>> Andrew Bartlett
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

More information about the samba mailing list