[Samba] using samba-tool from a domain member other than the DC

Gregory Sloop gregs at sloop.net
Thu Jul 23 19:20:15 UTC 2020

Top posting.
Is this in freenas jail, perhaps?
If so, I'd take a long hard look at the underlying environment.

Semi off-topic.

FreeNAS on FreeBSD has a whole set of really weird issues, IMO.
For example; I was trying to get rsync or rdiff-backup to run [not in a jail, but just in the base context] and performance was really terrible and it would bomb for larger file syncs to a remote Linux host.

I thought there was some other problem - other than FN, but really couldn't find any logs or other detail that might explain why, easily.
So, I simply powered up a Ubuntu VM on another box and attempted the same syncs - and performance was an order of magnitude greater. (IIRC, it might even have been TWO orders of magnitude. It was really massive, whatever the case.)

The more I've dug into FBSD and freenas, I've been continually frustrated at odd behavior and other issues. ...like [IIRC, it's been a while] the smbclient in FreeNAS doesn't support anything but SMB1 (which is almost useless, now). Sure there's ways around that, but they're all additional pain-points.

I'd resolved to moving away from FreeNAS entirely, some time ago - but see they're working to make the "community" edition run on, IIRC, debian based Linux. Perhaps that's likely to ease some of these issues. If so, I might re-consider. But it's far from a given.

[And this coming from the guy who ran a self-hosted web-server way back in the early-mid 90's on BSD. I knew absolutely nothing back then, but was impressed with BSD. So, it's not like I've got some kind of hidden hate for BSD.]


JKvs> Hi Rowland,

JKvs> ldap doesn't work for me either:

>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> Failed to connect to 'ldap://dc01.samdom.example.com' with backend 
>> 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>> ERROR(ldb): uncaught exception - LDAP client internal error: 
>>   File 
>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/__init__.py", 
>> line 185, in _run
>>     return self.run(*args, **kwargs)
>>   File 
>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/user.py", 
>> line 534, in run
>>     samdb = SamDB(url=H, session_info=system_session(),
>>   File 
>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", 
>> line 65, in __init__
>>     super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
>>   File 
>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/__init__.py", 
>> line 115, in __init__
>>     self.connect(url, flags, options)
>>   File 
>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py", 
>> line 81, in connect
>>     super(SamDB, self).connect(url=url, flags=flags,
JKvs> That being said, I think I know why that doesn't work.  It's because on
JKvs> the server, I haven't changed the default "ldap server require strong 
JKvs> auth = Yes" to "No".  That's because my team was very opposed to this 
JKvs> option due to the security implications.  We have other services 
JKvs> authenticating via ldaps.   Unfortunately, smb.conf won't let me enable
JKvs> "ldap server require strong auth" from only a certain IP.

JKvs> So without the ability to use ldaps, I guess I can't use samba-tool from
JKvs> another host.  This is unfortunate. :(   Should I be submitting a bug 
JKvs> report about ldaps not working?

JKvs> Jason.

JKvs> On 7/23/2020 2:45 PM, Rowland penny via samba wrote:
>> On 23/07/2020 19:31, Jason Keltz via samba wrote:
>>> Hi Rowland,

>>> I'm running smbd on the  DC.  I want to be able to do things like 
>>> adding a user, dns entry, etc. from my workstation without logging 
>>> into the DC.

>>> I can't get samba-tool to work with Kerberos, or ldaps, etc.

>> As I said, I cannot get ldaps to work (yet), but:

>> rowland at devstation:~$ sudo samba-tool group add newgroup -H 
>> ldap://dc01.samdom.example.com -k yes
>> [sudo] password for rowland:
>> Added group newgroup

>> 'devstation' isn't a DC ;-)

>> Rowland

More information about the samba mailing list