[Samba] using samba-tool from a domain member other than the DC

Andrew Bartlett abartlet at samba.org
Thu Jul 23 20:21:34 UTC 2020

On Wed, 2020-07-22 at 21:20 -0400, Jason Keltz via samba wrote:
> Hi.
> I have a Samba AD DC setup that is working well.  I want to be able
> to 
> use "samba-tool" from another Linux host that is a member of the
> domain 
> (eg. my host).  I've looked at page after page online, and can't seem
> to 
> figure out how to make this work.
> On the domain member I did:
> kinit Administrator
> I'm asked for the domain admin password and it's accepted, then I 
> thought I could just do:
> samba-tool user list -k yes
> ... but samba tries to read the users from local TDB files which of 
> course don't exist on the host since it's an AD member, and not the
> DC.
> I tried adding: -H ldaps://dc.server.com after copying in the proper 
> auto generated keys from the samba DC to the domain member, but that 
> didn't work either.  Now I have:
> Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> Failed to connect to 'ldaps://dc1.eecs.yorku.ca' with backend
> 'ldaps': 
> LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> ERROR(ldb): uncaught exception - LDAP client internal error: 
> Any ideas?  I must be close.

Try with ldap:// not ldaps:// 

Kerberos and all other SASL secured connections over LDAPS are a
problem due to the lack of channel bindings (something we are trying to
fix), the protection provided by Kerberos directly is actually

My guess is that the server is rejecting it due to the setting of 
'ldap server require strong auth'.


Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list