[Samba] ldb-tools and ldaps after badlock

Andrew Bartlett abartlet at samba.org
Sat Jun 11 20:07:35 UTC 2016

On Fri, 2016-06-10 at 19:37 +0200, Stefan Kania wrote:
> Hello everybody,
> since the patch for all the badlock bugs it is not possible to access
> a Samba 4 ADDC-database with ldb-tools. Everytime I try it, I get the
> following error:


> When I add:
> ----------------------
> tls verify peer = no_check
> ----------------------
> to smb.conf I will get the following error:
> root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U
> administrat
> or
> Password for [EXAMPLE2\administrator]:
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldaps://addc-02.example2.net' with backend
> 'ldaps': (null)
> Failed to connect to ldaps://addc-02.example2.net - (null)
> Only If I put the line
> --------------
> ldap server require strong auth = no
> ---------------
> to smb.conf, everything is workin again. BUT as I understand these
> two
> paramters, I will go back to the old behavior and a man in the middle
> attack ist possible.
> Is there a solution to keep the securtiy high AND still use the ldb
> -tool
> s?
> I couldn't find anything in any documentation.

Just don't use ldaps://, instead use Kerberos (-k yes).  I know it
seems strange, but direct encryption with Kerberos is more secure than

Therefore, we only accept simple binds over ldaps:// by default.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list