[Samba] using samba-tool from a domain member other than the DC

Jason Keltz jas at eecs.yorku.ca
Thu Jul 23 18:59:26 UTC 2020

Hi Rowland,

ldap doesn't work for me either:

> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://dc01.samdom.example.com' with backend 
> 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> ERROR(ldb): uncaught exception - LDAP client internal error: 
>   File 
> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/__init__.py", 
> line 185, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/user.py", 
> line 534, in run
>     samdb = SamDB(url=H, session_info=system_session(),
>   File 
> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", 
> line 65, in __init__
>     super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
>   File 
> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/__init__.py", 
> line 115, in __init__
>     self.connect(url, flags, options)
>   File 
> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", 
> line 81, in connect
>     super(SamDB, self).connect(url=url, flags=flags,
That being said, I think I know why that doesn't work.  It's because on 
the server, I haven't changed the default "ldap server require strong 
auth = Yes" to "No".  That's because my team was very opposed to this 
option due to the security implications.  We have other services 
authenticating via ldaps.   Unfortunately, smb.conf won't let me enable 
"ldap server require strong auth" from only a certain IP.

So without the ability to use ldaps, I guess I can't use samba-tool from 
another host.  This is unfortunate. :(   Should I be submitting a bug 
report about ldaps not working?


On 7/23/2020 2:45 PM, Rowland penny via samba wrote:
> On 23/07/2020 19:31, Jason Keltz via samba wrote:
>> Hi Rowland,
>> I'm running smbd on the  DC.  I want to be able to do things like 
>> adding a user, dns entry, etc. from my workstation without logging 
>> into the DC.
>> I can't get samba-tool to work with Kerberos, or ldaps, etc.
> As I said, I cannot get ldaps to work (yet), but:
> rowland at devstation:~$ sudo samba-tool group add newgroup -H 
> ldap://dc01.samdom.example.com -k yes
> [sudo] password for rowland:
> Added group newgroup
> 'devstation' isn't a DC ;-)
> Rowland

More information about the samba mailing list