[Samba] using samba-tool from a domain member other than the DC

Jason Keltz jas at eecs.yorku.ca
Thu Jul 23 19:36:03 UTC 2020

HI Rowland,

Sorry if my original email wasn't clear.

On the dc, I'm running samba (I said smbd - my error) and winbind .  I'm 
running CentOS 7.8 with a self-compiled Samba.  That's actually all 
working perfectly.


         default_realm = AD.EECS.YORKU.CA
         dns_lookup_realm = false
         dns_lookup_kdc = true


# Global parameters
         netbios name = <netbios name>
         realm = <realm address>
         workgroup = <workgroup name>
         dns forwarder = <dns forwarder ip>
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         interfaces = <ip of server>
         bind interfaces only = yes

         path = <my netlogon path>
         read only = no
         guest ok = no

         path = <my sysvol path>
         read only = no
         guest ok = no

The client is another CentOS 7.8 machine.  It's been joined to the 
domain using "realm join" and using sssd ad module (no smbd).   It has 
access to the identical Samba software from the DC.  Likewise, it's 
working perfectly.  I can login to the client, see all my users and 
groups from AD, etc.

On the client, I have the same krb5.conf as above.  For smb.conf I have 
the following (I don't even really know if it's required but I highly 
suspect samba-tool is at least reading it):

         workgroup =<workgroup name>
         security = ADS
         realm = <realm server name>

I was under the impression that in order to use ldap:// URLs, on the DC 
smb.conf, you need to add "ldap server require strong auth = no".  You 
said the default is no, but at least in my configuration on the server 
it is "yes":

# /xsys/pkg/samba/bin/testparm -v | grep strong
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.

Press enter to see a dump of your service definitions

         ldap server require strong auth = Yes
         require strong key = Yes

I'm not permitted to set ldap server require strong auth = no. Ideally, 
samba-tool would work with ldaps, but if I can use samba-tool over ldap 
without having to set the require strong auth = no, then that would be 


On 7/23/2020 3:15 PM, Rowland penny via samba wrote:
> On 23/07/2020 19:59, Jason Keltz via samba wrote:
>> Hi Rowland,
>> ldap doesn't work for me either:
> It should.
>>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>>> Failed to bind - LDAP client internal error: 
> What OS is this ?
> You wrote this in earlier post:
> I'm running smbd on the  DC
> What do you mean by that?
> On a DC, you should start the 'samba' daemon and this will start 
> 'smbd' & 'winbind' for you
>> That being said, I think I know why that doesn't work.  It's because 
>> on the server, I haven't changed the default "ldap server require 
>> strong auth = Yes" to "No".  That's because my team was very opposed 
>> to this option due to the security implications.  We have other 
>> services authenticating via ldaps.   Unfortunately, smb.conf won't 
>> let me enable "ldap server require strong auth" from only a certain IP.
> It should work, even with 'ldap server require strong auth = no' (the 
> default)
>> So without the ability to use ldaps, I guess I can't use samba-tool 
>> from another host.  This is unfortunate. :(   Should I be submitting 
>> a bug report about ldaps not working?
> Not yet, Can you tell us what OS you are using (on the DC and Unix 
> client)
> Can you post the smb.conf files from the DC and client.
> Rowland

More information about the samba mailing list