Daniel Lakeland
2023-Apr-13 19:28 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
I have a server that runs stand-alone with an LDAP directory and a KDC . The linux machines have sssd to allow unified users etc. The clients are mostly MacOS and Windows machines that aren't part of an AD. This config has worked for 15 years, but after upgrading Debian and bringing in Samba Version 4.17.7-Debian it seems to be broken. I believe this is related to: https://lists.samba.org/archive/samba/2021-November/238720.html And other related discussions from earlier here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001053 It seems like some significant work has gone into security for samba and that it's affected this kind of usage. My question is, what settings should I try or would be expected to work for a Samba server that is connected to an MIT Krb5 Realm and has users in an LDAP directory and does not have any kind of Active Directory anything? Especially settings for the following: Right now I have: ?? workgroup = SOMEREALM.REALM log level = 3 #security = user #this doesn't work either security = ads realm = SOMEREALM.REALM kerberos method = system keytab server signing = mandatory client signing = mandatory smb encrypt = mandatory server min protocol = SMB2 strict locking = no dns proxy = no ... server role = standalone server idmap config * : backend = nss idmap config * : range = 1000-70000 idmap config * : read only = yes
Rowland Penny
2023-Apr-13 19:49 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 13/04/2023 20:28, Daniel Lakeland via samba wrote:> I have a server that runs stand-alone with an LDAP directory and a KDC . > The linux machines have sssd to allow unified users etc. The clients are > mostly MacOS and Windows machines that aren't part of an AD.It probably is supposed to work, but you have just basically described AD. DNS (you have to have this for kerberos), ldap and kerberos. You will probably find Samba AD easier to maintain. Rowland
Zombie Ryushu
2023-Apr-13 19:50 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 15:28, Daniel Lakeland via samba wrote:> I have a server that runs stand-alone with an LDAP directory and a KDC > . The linux machines have sssd to allow unified users etc. The clients > are mostly MacOS and Windows machines that aren't part of an AD. > > > This config has worked for 15 years, but after upgrading Debian and > bringing in Samba Version 4.17.7-Debian it seems to be broken. > > > I believe this is related to: > https://lists.samba.org/archive/samba/2021-November/238720.html > > And other related discussions from earlier here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001053 > > It seems like some significant work has gone into security for samba > and that it's affected this kind of usage. > > > My question is, what settings should I try or would be expected to > work for a Samba server that is connected to an MIT Krb5 Realm and has > users in an LDAP directory and does not have any kind of Active > Directory anything? Especially settings for the following: > > Right now I have: > > ?? workgroup = SOMEREALM.REALM > > log level = 3 > > #security = user #this doesn't work either > security = ads > realm = SOMEREALM.REALM > kerberos method = system keytab > > server signing = mandatory > client signing = mandatory > smb encrypt = mandatory > > server min protocol = SMB2 > > strict locking = no > dns proxy = no > > ... > > server role = standalone server > > idmap config * : backend = nss > idmap config * : range = 1000-70000 > idmap config * : read only = yes > > > > > >Not as an ADS Server, I think you can still do that Weird OpenLDAP/Kerberos enhanced Samba Classic NT Domain mode, but what you will create is not something Modern Windows can login too. But you have to set Samba to be an NT4 PDC with OpenLDAP backend and Kerberos Frontend. I think the last Windows OS to support this is Windows 7.
Daniel Lakeland
2023-Apr-16 23:51 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 12:28, Daniel Lakeland via samba wrote: Hi all, for those who are interested in this issue, it appears that this may have changed very recently. On my home server which is running samba 4.16.0+dfsg-7 I am able to connect with smbclient as follows: smbclient --use-kerberos=required "//localserver.lan/dlakelan" However, at the remote site where we are running 4.17.7+dfsg-1 after dealing with some issues regarding firewalls, I tried to connect using: smbclient --use-kerberos=required --user="dlakelan at REMOTE.REALM" //remote.host.name/dlakelan I get the result: session setup failed: NT_STATUS_BAD_TOKEN_TYPE and the remote log says: [2023/04/16 16:38:22.349790,? 1] ../../source3/librpc/crypto/gse_krb5.c:185(fill_mem_keytab_from_secrets) ? fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(REMOTE.REALM) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2023/04/16 16:38:22.349811,? 3] ../../source3/librpc/crypto/gse_krb5.c:582(gse_krb5_get_server_keytab) ? ../../source3/librpc/crypto/gse_krb5.c:582: Warning! Unable to set mem keytab from secrets! [2023/04/16 16:38:22.441568,? 1] ../../source3/librpc/crypto/gse_krb5.c:185(fill_mem_keytab_from_secrets) ? fill_mem_keytab_from_secrets: secrets_fetch_or_upgrade_domain_info(REMOTE.REALM) - NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2023/04/16 16:38:22.441631,? 3] ../../source3/librpc/crypto/gse_krb5.c:582(gse_krb5_get_server_keytab) ? ../../source3/librpc/crypto/gse_krb5.c:582: Warning! Unable to set mem keytab from secrets! [2023/04/16 16:38:22.443158,? 1] ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac) ? auth3_generate_session_info_pac: Unexpected PAC for [dlakelan at REMOTE.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE [2023/04/16 16:38:22.443233,? 3] ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex) ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_BAD_TOKEN_TYPE] || at ../../source3/smbd/smb2_sesssetup.c:147 [2023/04/16 16:38:22.467480,? 3] ../../source3/smbd/server_exit.c:229(exit_server_common) ? Server exit (NT_STATUS_END_OF_FILE) Both sites are running: ?? server role = standalone server and have a relevant kerberos realm (it's different realms but both are working fine in general). Did something happen between 4.16.0 and 4.17.7 in which samba would refuse to do anything with a kerberos ticket when in standalone mode?