[Samba] using samba-tool from a domain member other than the DC

Rowland penny rpenny at samba.org
Thu Jul 23 19:15:24 UTC 2020

On 23/07/2020 19:59, Jason Keltz via samba wrote:
> Hi Rowland,
> ldap doesn't work for me either:
It should.
>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

What OS is this ?

You wrote this in earlier post:

I'm running smbd on the  DC

What do you mean by that?

On a DC, you should start the 'samba' daemon and this will start 'smbd' 
& 'winbind' for you

> That being said, I think I know why that doesn't work.  It's because 
> on the server, I haven't changed the default "ldap server require 
> strong auth = Yes" to "No".  That's because my team was very opposed 
> to this option due to the security implications.  We have other 
> services authenticating via ldaps.   Unfortunately, smb.conf won't let 
> me enable "ldap server require strong auth" from only a certain IP.
It should work, even with 'ldap server require strong auth = no' (the 
> So without the ability to use ldaps, I guess I can't use samba-tool 
> from another host.  This is unfortunate. :(   Should I be submitting a 
> bug report about ldaps not working?

Not yet, Can you tell us what OS you are using (on the DC and Unix client)

Can you post the smb.conf files from the DC and client.


More information about the samba mailing list