[Samba] using samba-tool from a domain member other than the DC
Andrew Bartlett
abartlet at samba.org
Thu Jul 23 20:21:34 UTC 2020
On Wed, 2020-07-22 at 21:20 -0400, Jason Keltz via samba wrote:
> Hi.
>
> I have a Samba AD DC setup that is working well. I want to be able
> to
> use "samba-tool" from another Linux host that is a member of the
> domain
> (eg. my host). I've looked at page after page online, and can't seem
> to
> figure out how to make this work.
>
> On the domain member I did:
>
> kinit Administrator
>
> I'm asked for the domain admin password and it's accepted, then I
> thought I could just do:
>
> samba-tool user list -k yes
>
> ... but samba tries to read the users from local TDB files which of
> course don't exist on the host since it's an AD member, and not the
> DC.
>
> I tried adding: -H ldaps://dc.server.com after copying in the proper
> auto generated keys from the samba DC to the domain member, but that
> didn't work either. Now I have:
>
> Failed to bind - LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> Failed to connect to 'ldaps://dc1.eecs.yorku.ca' with backend
> 'ldaps':
> LDAP client internal error: NT_STATUS_UNSUCCESSFUL
> ERROR(ldb): uncaught exception - LDAP client internal error:
> NT_STATUS_UNSUCCESSFUL
>
> Any ideas? I must be close.
Try with ldap:// not ldaps://
Kerberos and all other SASL secured connections over LDAPS are a
problem due to the lack of channel bindings (something we are trying to
fix), the protection provided by Kerberos directly is actually
superior.
My guess is that the server is rejecting it due to the setting of
'ldap server require strong auth'.
Thanks,
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list