[Samba] GPO on a DC

samba-ml-en samba-ml-en at protonmail.com
Fri Jun 24 18:13:57 UTC 2022


Like in my code
 pwd="$(printf "%s" "$1" | cut -f 2 -d "%")"
 printf "%s" "$pwd" | kinit  "$(printf "%s" "$1" | cut -f 2 -d "\\" | cut -f 1 -d "%")" > /dev/null 2>&1
 lines="$(ldapsearch -b "CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ad2,DC=domain,DC=eu" -H ldap://localhost | grep adminContextMenu | cut -f 2 -d ":" | cut -f 1 -d ",")"

but it means you need to have kerberos and integrate it in the application. One example pfsense user manager (auth firewall users, or vpn users if you want too)

port:636 for example or 389 for ldap
transport: SSL/TLS or cleartext (if I remove TLS form smb.conf........ well clear text, with hashes on the wire)

> I am no expert here, but my understanding is that if you use ldapsearch
> or ldbsearch with kerberos (its called GSSAPI by ldapsearch), then the
> data is encrypted end to end just like ldaps.

Yes what I was saying, a bit like smtp :-)

> Windows was going to enforce ldaps, but, unless I missed it, it has
> never happened, doesn't this tell you something ?

Sorry, you get both, old habit, just in case you need to reply in private.

> Please do not 'CC' me, just send posts to the lists.

Wish you a great evening and I hope we find out a cause for the problem I have with GPOs, ldap/ldaps is probably another issue with samba.


More information about the samba mailing list