[Samba] using samba-tool from a domain member other than the DC

Jason Keltz jas at eecs.yorku.ca
Fri Jul 24 00:01:25 UTC 2020

Hi Rowland,

Speaking of senior moment. I just figured out the problem...

My DC host has its regular name - dc01.example.com and then its AD name 
dc01.ad.example.com.  Even though both resolve to the same IP, I was 
using dc01.example.com which is apparently a no no because Kerberos is 
particular about name.  If I use dc01.ad.example.com it actually 
works!!!!!!!!!!  Using either dc01.example.com or using the IP address 
both do not work.

And just to prove that this has nothing whatsoever to do with smb.conf, 
I moved it out of the way completely, and it now works as well!!

Thanks a lot! I've spent *hours* looking at this.  I think I have a few 
extra gray hairs.


On 7/23/2020 3:58 PM, Rowland penny via samba wrote:
> On 23/07/2020 20:36, Jason Keltz via samba wrote:
>> On the client, I have the same krb5.conf as above.  For smb.conf I 
>> have the following (I don't even really know if it's required but I 
>> highly suspect samba-tool is at least reading it):
>> [global]
>>         workgroup =<workgroup name>
>>         security = ADS
>>         realm = <realm server name>
>> I was under the impression that in order to use ldap:// URLs, on the 
>> DC smb.conf, you need to add "ldap server require strong auth = no".  
>> You said the default is no, but at least in my configuration on the 
>> server it is "yes":
> OOPS, senior moment there ;-)
> The 'no' should have been 'yes' and it still works for me ;-)
>> I'm not permitted to set ldap server require strong auth = no. 
>> Ideally, samba-tool would work with ldaps, but if I can use 
>> samba-tool over ldap without having to set the require strong auth = 
>> no, then that would be great.
> You should be able to use samba-tool with kerberos:
> rowland at devstation:~$ samba-tool user list -H 
> ldap://dc01.samdom.example.com -k yes -d5
> < snipped for brevity >
> Ticket in credentials cache for rowland at SAMDOM.EXAMPLE.COM will expire 
> in 33327 secs
> gensec_gssapi: NO credentials were delegated
> GSSAPI Connection will be cryptographically signed
> This is from a domain joined Unix client and 'rowland' has a valid 
> kerberos ticket.
> The client is running nmbd, smbd and winbind.
> You say that you are running sssd, we cannot help you with this, we do 
> not produce sssd etc.
> Rowland

More information about the samba mailing list