[Samba] using samba-tool from a domain member other than the DC

Rowland penny rpenny at samba.org
Thu Jul 23 19:58:06 UTC 2020

On 23/07/2020 20:36, Jason Keltz via samba wrote:
> On the client, I have the same krb5.conf as above.  For smb.conf I 
> have the following (I don't even really know if it's required but I 
> highly suspect samba-tool is at least reading it):
> [global]
>         workgroup =<workgroup name>
>         security = ADS
>         realm = <realm server name>
> I was under the impression that in order to use ldap:// URLs, on the 
> DC smb.conf, you need to add "ldap server require strong auth = no".  
> You said the default is no, but at least in my configuration on the 
> server it is "yes":

OOPS, senior moment there ;-)

The 'no' should have been 'yes' and it still works for me ;-)

> I'm not permitted to set ldap server require strong auth = no. 
> Ideally, samba-tool would work with ldaps, but if I can use samba-tool 
> over ldap without having to set the require strong auth = no, then 
> that would be great.

You should be able to use samba-tool with kerberos:

rowland at devstation:~$ samba-tool user list -H 
ldap://dc01.samdom.example.com -k yes -d5
< snipped for brevity >
Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire 
in 33327 secs
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed

This is from a domain joined Unix client and 'rowland' has a valid 
kerberos ticket.

The client is running nmbd, smbd and winbind.

You say that you are running sssd, we cannot help you with this, we do 
not produce sssd etc.


More information about the samba mailing list