Zombie Ryushu
2023-Apr-13 19:50 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 15:28, Daniel Lakeland via samba wrote:> I have a server that runs stand-alone with an LDAP directory and a KDC > . The linux machines have sssd to allow unified users etc. The clients > are mostly MacOS and Windows machines that aren't part of an AD. > > > This config has worked for 15 years, but after upgrading Debian and > bringing in Samba Version 4.17.7-Debian it seems to be broken. > > > I believe this is related to: > https://lists.samba.org/archive/samba/2021-November/238720.html > > And other related discussions from earlier here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001053 > > It seems like some significant work has gone into security for samba > and that it's affected this kind of usage. > > > My question is, what settings should I try or would be expected to > work for a Samba server that is connected to an MIT Krb5 Realm and has > users in an LDAP directory and does not have any kind of Active > Directory anything? Especially settings for the following: > > Right now I have: > > ?? workgroup = SOMEREALM.REALM > > log level = 3 > > #security = user #this doesn't work either > security = ads > realm = SOMEREALM.REALM > kerberos method = system keytab > > server signing = mandatory > client signing = mandatory > smb encrypt = mandatory > > server min protocol = SMB2 > > strict locking = no > dns proxy = no > > ... > > server role = standalone server > > idmap config * : backend = nss > idmap config * : range = 1000-70000 > idmap config * : read only = yes > > > > > >Not as an ADS Server, I think you can still do that Weird OpenLDAP/Kerberos enhanced Samba Classic NT Domain mode, but what you will create is not something Modern Windows can login too. But you have to set Samba to be an NT4 PDC with OpenLDAP backend and Kerberos Frontend. I think the last Windows OS to support this is Windows 7.
Daniel Lakeland
2023-Apr-13 20:08 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 12:50, Zombie Ryushu via samba wrote:>> >> > Not as an ADS Server, I think you can still do that Weird > OpenLDAP/Kerberos enhanced Samba Classic NT Domain mode, but what you > will create is not something Modern Windows can login too. But you > have to set Samba to be an NT4 PDC with OpenLDAP backend and Kerberos > Frontend. I think the last Windows OS to support this is Windows 7. >Note that Windows 10 machines were perfectly fine with doing all of this a week ago until the version of Samba changed. Also note that in this usage these devices are individual people's personal laptops and a mixture of Windows Home/Pro and MacOS versions from 5 years ago or more to now. Some of these people volunteer in the lab for 4 months, others are students for 6 years. Neither the users nor I want them to join their personal laptops to a domain they have no control nor trust over. They want local logins on their machines and to get a ticket and connect to the SMB server. The LDAP users with kerberos tickets should not be able to log into the individual client machines. There is in essence "one way authorization" the client with a kerberos ticket is authorized to access the SMB server. There is no reciprocity to the client. This is 100% intentional and by design. What settings would be required to make this work?