[Samba] using samba-tool from a domain member other than the DC

Jason Keltz jas at eecs.yorku.ca
Thu Jul 23 19:38:38 UTC 2020 

Hi Greg,

This is running straight on CentOS 7.8... no Freenas jail..

Jason

On 7/23/2020 3:20 PM, Gregory Sloop via samba wrote:
> Top posting.
> Is this in freenas jail, perhaps?
> If so, I'd take a long hard look at the underlying environment.
>
> Semi off-topic.
>
> FreeNAS on FreeBSD has a whole set of really weird issues, IMO.
> For example; I was trying to get rsync or rdiff-backup to run [not in a jail, but just in the base context] and performance was really terrible and it would bomb for larger file syncs to a remote Linux host.
>
> I thought there was some other problem - other than FN, but really couldn't find any logs or other detail that might explain why, easily.
> So, I simply powered up a Ubuntu VM on another box and attempted the same syncs - and performance was an order of magnitude greater. (IIRC, it might even have been TWO orders of magnitude. It was really massive, whatever the case.)
>
> The more I've dug into FBSD and freenas, I've been continually frustrated at odd behavior and other issues. ...like [IIRC, it's been a while] the smbclient in FreeNAS doesn't support anything but SMB1 (which is almost useless, now). Sure there's ways around that, but they're all additional pain-points.
>
> I'd resolved to moving away from FreeNAS entirely, some time ago - but see they're working to make the "community" edition run on, IIRC, debian based Linux. Perhaps that's likely to ease some of these issues. If so, I might re-consider. But it's far from a given.
>
> [And this coming from the guy who ran a self-hosted web-server way back in the early-mid 90's on BSD. I knew absolutely nothing back then, but was impressed with BSD. So, it's not like I've got some kind of hidden hate for BSD.]
>
> -Greg
>
> JKvs> Hi Rowland,
>
> JKvs> ldap doesn't work for me either:
>
>>> % samba-tool user list -H ldap://dc01.samdom.example.com -k yes
>>> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>>> Failed to connect to 'ldap://dc01.samdom.example.com' with backend
>>> 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
>>> ERROR(ldb): uncaught exception - LDAP client internal error:
>>> NT_STATUS_INVALID_PARAMETER
>>>    File
>>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/__init__.py",
>>> line 185, in _run
>>>      return self.run(*args, **kwargs)
>>>    File
>>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/netcmd/user.py",
>>> line 534, in run
>>>      samdb = SamDB(url=H, session_info=system_session(),
>>>    File
>>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py",
>>> line 65, in __init__
>>>      super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
>>>    File
>>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/__init__.py",
>>> line 115, in __init__
>>>      self.connect(url, flags, options)
>>>    File
>>> "/xsys/pkg/samba-4.10.17/lib/python3.8/site-packages/samba/samdb.py",
>>> line 81, in connect
>>>      super(SamDB, self).connect(url=url, flags=flags,
> JKvs> That being said, I think I know why that doesn't work.  It's because on
> JKvs> the server, I haven't changed the default "ldap server require strong
> JKvs> auth = Yes" to "No".  That's because my team was very opposed to this
> JKvs> option due to the security implications.  We have other services
> JKvs> authenticating via ldaps.   Unfortunately, smb.conf won't let me enable
> JKvs> "ldap server require strong auth" from only a certain IP.
>
> JKvs> So without the ability to use ldaps, I guess I can't use samba-tool from
> JKvs> another host.  This is unfortunate. :(   Should I be submitting a bug
> JKvs> report about ldaps not working?
>
> JKvs> Jason.
>
> JKvs> On 7/23/2020 2:45 PM, Rowland penny via samba wrote:
>>> On 23/07/2020 19:31, Jason Keltz via samba wrote:
>>>> Hi Rowland,
>>>> I'm running smbd on the  DC.  I want to be able to do things like
>>>> adding a user, dns entry, etc. from my workstation without logging
>>>> into the DC.
>>>> I can't get samba-tool to work with Kerberos, or ldaps, etc.
>>> As I said, I cannot get ldaps to work (yet), but:
>>> rowland at devstation:~$ sudo samba-tool group add newgroup -H
>>> ldap://dc01.samdom.example.com -k yes
>>> [sudo] password for rowland:
>>> Added group newgroup
>>> 'devstation' isn't a DC ;-)
>>> Rowland
>

More information about the samba mailing list