[Samba] using samba-tool from a domain member other than the DC
Jason Keltz
jas at eecs.yorku.ca
Fri Jul 24 00:01:25 UTC 2020
Hi Rowland,
Speaking of senior moment. I just figured out the problem...
My DC host has its regular name - dc01.example.com and then its AD name
dc01.ad.example.com. Even though both resolve to the same IP, I was
using dc01.example.com which is apparently a no no because Kerberos is
particular about name. If I use dc01.ad.example.com it actually
works!!!!!!!!!! Using either dc01.example.com or using the IP address
both do not work.
And just to prove that this has nothing whatsoever to do with smb.conf,
I moved it out of the way completely, and it now works as well!!
Thanks a lot! I've spent *hours* looking at this. I think I have a few
extra gray hairs.
Jason.
On 7/23/2020 3:58 PM, Rowland penny via samba wrote:
> On 23/07/2020 20:36, Jason Keltz via samba wrote:
>>
>>
>>
>> On the client, I have the same krb5.conf as above. For smb.conf I
>> have the following (I don't even really know if it's required but I
>> highly suspect samba-tool is at least reading it):
>>
>> [global]
>> workgroup =<workgroup name>
>> security = ADS
>> realm = <realm server name>
>>
>> I was under the impression that in order to use ldap:// URLs, on the
>> DC smb.conf, you need to add "ldap server require strong auth = no".
>> You said the default is no, but at least in my configuration on the
>> server it is "yes":
>
> OOPS, senior moment there ;-)
>
> The 'no' should have been 'yes' and it still works for me ;-)
>
>>
>> I'm not permitted to set ldap server require strong auth = no.
>> Ideally, samba-tool would work with ldaps, but if I can use
>> samba-tool over ldap without having to set the require strong auth =
>> no, then that would be great.
>
> You should be able to use samba-tool with kerberos:
>
> rowland at devstation:~$ samba-tool user list -H
> ldap://dc01.samdom.example.com -k yes -d5
> < snipped for brevity >
> Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire
> in 33327 secs
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> <LONG LIST OF USERS>
>
> This is from a domain joined Unix client and 'rowland' has a valid
> kerberos ticket.
>
> The client is running nmbd, smbd and winbind.
>
> You say that you are running sssd, we cannot help you with this, we do
> not produce sssd etc.
>
> Rowland
>
>
>
More information about the samba
mailing list