[Samba] using samba-tool from a domain member other than the DC
Jason Keltz
jas at eecs.yorku.ca
Thu Jul 23 19:36:03 UTC 2020
HI Rowland,
Sorry if my original email wasn't clear.
On the dc, I'm running samba (I said smbd - my error) and winbind . I'm
running CentOS 7.8 with a self-compiled Samba. That's actually all
working perfectly.
krb5.conf:
[libdefaults]
default_realm = AD.EECS.YORKU.CA
dns_lookup_realm = false
dns_lookup_kdc = true
smb.conf:
# Global parameters
[global]
netbios name = <netbios name>
realm = <realm address>
workgroup = <workgroup name>
dns forwarder = <dns forwarder ip>
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = 127.0.0.1 <ip of server>
bind interfaces only = yes
[netlogon]
path = <my netlogon path>
read only = no
guest ok = no
[sysvol]
path = <my sysvol path>
read only = no
guest ok = no
The client is another CentOS 7.8 machine. It's been joined to the
domain using "realm join" and using sssd ad module (no smbd). It has
access to the identical Samba software from the DC. Likewise, it's
working perfectly. I can login to the client, see all my users and
groups from AD, etc.
On the client, I have the same krb5.conf as above. For smb.conf I have
the following (I don't even really know if it's required but I highly
suspect samba-tool is at least reading it):
[global]
workgroup =<workgroup name>
security = ADS
realm = <realm server name>
I was under the impression that in order to use ldap:// URLs, on the DC
smb.conf, you need to add "ldap server require strong auth = no". You
said the default is no, but at least in my configuration on the server
it is "yes":
# /xsys/pkg/samba/bin/testparm -v | grep strong
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
ldap server require strong auth = Yes
require strong key = Yes
I'm not permitted to set ldap server require strong auth = no. Ideally,
samba-tool would work with ldaps, but if I can use samba-tool over ldap
without having to set the require strong auth = no, then that would be
great.
Jason.
On 7/23/2020 3:15 PM, Rowland penny via samba wrote:
> On 23/07/2020 19:59, Jason Keltz via samba wrote:
>> Hi Rowland,
>>
>> ldap doesn't work for me either:
> It should.
>>
>>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>>> Failed to bind - LDAP client internal error:
>>> NT_STATUS_INVALID_PARAMETER
>
> What OS is this ?
>
> You wrote this in earlier post:
>
> I'm running smbd on the DC
>
> What do you mean by that?
>
> On a DC, you should start the 'samba' daemon and this will start
> 'smbd' & 'winbind' for you
>
>>>
>> That being said, I think I know why that doesn't work. It's because
>> on the server, I haven't changed the default "ldap server require
>> strong auth = Yes" to "No". That's because my team was very opposed
>> to this option due to the security implications. We have other
>> services authenticating via ldaps. Unfortunately, smb.conf won't
>> let me enable "ldap server require strong auth" from only a certain IP.
> It should work, even with 'ldap server require strong auth = no' (the
> default)
>>
>> So without the ability to use ldaps, I guess I can't use samba-tool
>> from another host. This is unfortunate. :( Should I be submitting
>> a bug report about ldaps not working?
>
> Not yet, Can you tell us what OS you are using (on the DC and Unix
> client)
>
> Can you post the smb.conf files from the DC and client.
>
> Rowland
>
>
>
>
More information about the samba
mailing list