Rowland penny
2021-Feb-02 10:16 UTC
[Samba] LDAP + Keytab without requiring administrator logins
On 02/02/2021 09:46, Christian Kuntz via samba wrote:> Hi all! > > I'm currently running Debian Buster with samba version 4.9.5+dfsg-5+deb10u1 > and trying to configure my setup to require only a keytab file and no > administrator login information to accommodate for automated smb > provisioning.As far as I am aware, only Administrator can join computers.> > > > I've confirmed with kerberos and sssdAh, there is a problem, you cannot use sssd with Samba >= 4.8.0> that I have a connection to the > server and can acquire the tgt, but ultimately starting the service always > fails with this message so long as I set the passdb to ldapsam.Why are you setting it to ldapsam ?> > Is this something that's supported by samba and I'm missing or have bad > configs, or is this just not something that's supported? You can find > testparm/config information below. >The use of sssd with Samba >= 4.8.0 isn't supported, you must use winbind if you want shares, if you only required authentication, use sssd by itself. Rowland
Christian Kuntz
2021-Feb-03 00:44 UTC
[Samba] LDAP + Keytab without requiring administrator logins
Apologies for the duplicated email, replying back to the mailing list as well: Thanks for the response!> As far as I am aware, only Administrator can join computers.So if I'm understanding correctly, in order to utilize the LDAP server I need to initialize the secrets.tdb with Administrator credentials?> Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0I don't know if I've explained appropriately here, but sssd is providing authentication and winbind is running allowing AD/LDAP users to mount shares. We've found this method to work well for AD and LDAP, but are having trouble with this particular challenge of allowing LDAP users to mount shares without requiring the samba server to have LDAP admin credentials, using only a fully provisioned and valid keytab.> Why are you setting it to ldapsam ?We want users to be resolved over LDAP, I'm under the impression from reading the documentation and testing that this setting is required to allow ldap users to mount shares.>From the documentation, the kerberos method setting seems to imply that thesecrets.tdb does not need to be initialized <https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD> and only a valid keytab (which we have) is required. No matter the setting, it will complain that it cannot find the LDAP credentials in secrets.tdb, even when it is configured not to use it. Christian On Tue, Feb 2, 2021 at 2:17 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 02/02/2021 09:46, Christian Kuntz via samba wrote: > > Hi all! > > > > I'm currently running Debian Buster with samba version > 4.9.5+dfsg-5+deb10u1 > > and trying to configure my setup to require only a keytab file and no > > administrator login information to accommodate for automated smb > > provisioning. > > > As far as I am aware, only Administrator can join computers. > > > > > > > > > > I've confirmed with kerberos and sssd > > > Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0 > > > that I have a connection to the > > server and can acquire the tgt, but ultimately starting the service > always > > fails with this message so long as I set the passdb to ldapsam. > > > Why are you setting it to ldapsam ? > > > > > > Is this something that's supported by samba and I'm missing or have bad > > configs, or is this just not something that's supported? You can find > > testparm/config information below. > > > > The use of sssd with Samba >= 4.8.0 isn't supported, you must use > winbind if you want shares, if you only required authentication, use > sssd by itself. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >