Christian Kuntz
2021-Feb-02 09:46 UTC
[Samba] LDAP + Keytab without requiring administrator logins
Hi all!
I'm currently running Debian Buster with samba version 4.9.5+dfsg-5+deb10u1
and trying to configure my setup to require only a keytab file and no
administrator login information to accommodate for automated smb
provisioning.
It appears that without the administrator information in the secrets.tdb
smb will simply fail to start, giving the below in logs:
[2021/02/02 00:30:28.404433, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
[2021/02/02 00:30:55.580322, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
[2021/02/02 00:37:24.710460, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
[2021/02/02 01:03:36.359209, 0]
../source3/passdb/secrets.c:364(fetch_ldap_pw)
fetch_ldap_pw: neither ldap secret retrieved!
[2021/02/02 01:03:36.359231, 0]
../source3/passdb/pdb_ldap.c:6544(pdb_init_ldapsam_common)
pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb
[2021/02/02 01:03:36.359239, 0]
../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldap://foo.bar.buzz did not correctly init (error was
NT_STATUS_NO_MEMORY)
[2021/02/02 01:06:21.950341, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
I've confirmed with kerberos and sssd that I have a connection to the
server and can acquire the tgt, but ultimately starting the service always
fails with this message so long as I set the passdb to ldapsam.
Is this something that's supported by samba and I'm missing or have bad
configs, or is this just not something that's supported? You can find
testparm/config information below.
Cheers, and thanks for your time,
Christian
Here's my testparm + krb + sssd confs
testparm:
[global]
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
dns proxy = No
kerberos method = dedicated keytab
ldap suffix = dc=bar,dc=buzz
load printers = No
local master = No
log file = /var/log/samba/clients/%m.log
logging = syslog at 0 file
max log size = 100
max stat cache size = 65536
max xmit = 1048676
name resolve order = host wins bcast
netbios name = FOO
ntlm auth = ntlmv1-permitted
passdb backend = ldapsam:ldap://foo.bar.buzz
printcap name = /dev/null
realm = BAR.BUZZ
winbind use default domain = Yes
workgroup = BAR
idmap config bar : ldap_base_dn = dc=bar,dc=buzz
idmap config bar : ldap_url = ldap://foo.bar.buzz
idmap config bar : range = 10000-20000
idmap config bar : schema_mode = rfc2307
idmap config bar : backend = ldap
idmap config * : backend = tdb
krb5.conf sections:
[libdefaults]
dns_lookup_realm = true
kdc_timesynce = 1
ccache_type = 4
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_kdc = true
default_realm = BAR.BUZZ
[realms]
BAR.BUZZ = {
kdc = foo.bar.buzz
admin_server = foo.bar.buzz
}
[domain_realm]
.bar.buzz = BAR.BUZZ
bar.buzz = BAR.BUZZ
[sssd]
domains = bar.buzz
config_file_version = 2
services = nss, pam
[domain/bar.buzz]
id_provider = ldap
ldap_uri = ldap://foo.bar.buzz
ldap_search_base = dc=bar,dc=buzz
auth_provider = krb5
krb5_server = foo.bar.buzz
krb5_realm = BAR.BUZZ
cache_credentials = True
debug_level = 9
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.pem
Rowland penny
2021-Feb-02 10:16 UTC
[Samba] LDAP + Keytab without requiring administrator logins
On 02/02/2021 09:46, Christian Kuntz via samba wrote:> Hi all! > > I'm currently running Debian Buster with samba version 4.9.5+dfsg-5+deb10u1 > and trying to configure my setup to require only a keytab file and no > administrator login information to accommodate for automated smb > provisioning.As far as I am aware, only Administrator can join computers.> > > > I've confirmed with kerberos and sssdAh, there is a problem, you cannot use sssd with Samba >= 4.8.0> that I have a connection to the > server and can acquire the tgt, but ultimately starting the service always > fails with this message so long as I set the passdb to ldapsam.Why are you setting it to ldapsam ?> > Is this something that's supported by samba and I'm missing or have bad > configs, or is this just not something that's supported? You can find > testparm/config information below. >The use of sssd with Samba >= 4.8.0 isn't supported, you must use winbind if you want shares, if you only required authentication, use sssd by itself. Rowland