[Samba] smbclient help

jmpatagonia jmpatagonia at gmail.com
Thu Jan 14 08:31:08 UTC 2021 

Hello Rowland, when using ldbsearch I have this

ldbsearch -H ldaps://midominio:636 -b
"cn=jcbatman3,cn=Users,dc=prueba,dc=ar" -s sub
'(&(sAMAccountName=jcbatman3)(memberOf=*))' memberOf -k yes

TLS failed to missing cafile /var/lib/samba/private/tls/ca.pem - with 'tls
verify peer = as_strict_as_possible'
Failed to connect to ldap URL 'ldaps://midominio:636' - LDAP client
internal error: NT_STATUS_INVALID_PARAMETER_MIX
Failed to connect to 'ldaps://midominio:636' with backend 'ldaps': (null)
Failed to connect to ldaps://midominio:636 - (null)

Is it possible to disable "tls verify peer" on the client, if not, what I
can do ?

regards.





El mié, 13 ene 2021 a las 13:18, Rowland penny via samba (<
samba at lists.samba.org>) escribió:

> On 13/01/2021 09:15, jmpatagonia via samba wrote:
> > Excellent Rowland, this work, with this from the client we can make a
> > script to guest ldap (via memberof property) and do gvfs-mount.
> >
> > Is it possible to pass to ldapsearch the kerberos ticket (or user
> id/pass)
> > to guest the ldap samba built-in ?
> >
> > ldapsearch -D "cn=userid,cn=Users,dc=midominio,dc=prueba,dc=ar" -w
> "P at ssword"
> > -h 192.168.0.165 -p 389 -b "cn=$1,cn=Users,dc=midominio,dc=prueba,dc=ar"
> -s
> > sub "memberof=*" memberof | grep "memberOf" | sed -e "s/^memberOf: CN=//"
> > -e "s/,CN=Users,DC=midominio,DC=prueba,DC=ar//"
> >
> > So we can guest the ldap without a prefix user, need to extract the user
> > property "memberof" from ldap samba built-in, authenticating via ldap
> > search with the kerberos data or similar.
> >
> > Regards.
>
>
> There are numerous ways of doing this, you can use the machine password
> (but this involves using sudo):
>
> sudo ldbsearch -P -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname -d)"
> | sed 's/\./,dc=/g')" -s sub '(&(sAMAccountName=rowland)(memberOf=*))'
> memberOf | grep "memberOf" | sed -e "s/^memberOf: CN=//" -e
> "s/,CN=Users,$(echo "DC=$(hostname -d)" | sed 's/\./,DC=/g')//"
>
> You can use the users kerberos ticket that should be created when the
> user logs in:
>
> ldbsearch -H ldap://dc4 -b "cn=users,$(echo "dc=$(hostname -d)" | sed
> 's/\./,dc=/g')" -s sub '(&(sAMAccountName=rowland)(memberOf=*))'
> memberOf -k yes | grep "memberOf" | sed -e "s/^memberOf: CN=//" -e
> "s/,CN=Users,$(echo "DC=$(hostname -d)" | sed 's/\./,DC=/g')//"
>
> A different way using the users kerberos ticket and samba-tool:
>
> samba-tool group listmembers 'Domain Admins' -H ldap://dc4 -k yes
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list