samba - Apr 2023 - Is LDAP + Kerberos without Active Directory no longer supported?

On 13/04/2023 21:37, Daniel Lakeland via samba wrote:
> On 4/13/23 13:19, Rowland Penny via samba wrote:
>>
>>
>>
>>
>> What version of Debian were you running ?
>> What version of Samba were you running ?
>>
>> This could be just something as simple as you were running a version 
>> of Samba <= 4.8.0 and need to install and run winbind.
>>
>> Rowland
>>
>>
> It would have been probably Debian Testing circa 2019 or something, 
> let's say it was samba less than 4.8.0.
> 
> I now have winbind installed via apt.
> 
> If I do
> 
> security = ads
> 
> It fails to start and says:
> 
> [2023/04/13 13:32:37.039004,? 0] 
> ../../source3/winbindd/winbindd_util.c:1235(init_domain_list)
>  ? Could not fetch our SID - did we join?
Exactly what it says, it expects the computer to be joined to a domain.
> 
> if I do
> 
> security = user
> 
> It starts and says:
> 
> [2023/04/13 13:34:06.986150,? 3] 
> ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain)
>  ? add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32]
> [2023/04/13 13:34:06.986190,? 3] 
> ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain)
>  ? add_trusted_domain: Added domain [CHIMERA] [(null)] 
> [S-1-5-21-2096409422-4100730907-3425993654]
> [2023/04/13 13:34:06.986522,? 3] 
> ../../librpc/rpc/dcesrv_core.c:2619(dcerpc_register_ep_server)
>  ? DCERPC endpoint server 'winbind' registered
> [2023/04/13 13:34:06.991408,? 2] 
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>  ? Registered MSG_REQ_POOL_USAGE
> 
> Where chimera is the hostname of the server.
It is attempting to connect to the Samba running on the computer.
> 
> security = user is the config that used to work before the upgrade.
The Samba daemon smbd before 4.8.0 could connect to AD (or in this case 
a kerberos kdc) directly, but from 4.8.0 it has to go via winbind and 
has to be joined to the domain/kerberos realm.

You appear to be running a workgroup, but in the manner of a domain, 
perhaps you should run it as a workgroup, you will then find out why AD 
domains replaced them.

Rowland

On 4/13/23 14:15, Rowland Penny via samba wrote:
>
>
>
>>
>> security = user is the config that used to work before the upgrade.
>
> The Samba daemon smbd before 4.8.0 could connect to AD (or in this 
> case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind 
> and has to be joined to the domain/kerberos realm.
>
> You appear to be running a workgroup, but in the manner of a domain, 
> perhaps you should run it as a workgroup, you will then find out why 
> AD domains replaced them. 
I'd like to reiterate, literally none of these people, many of whom are 
volunteers, want to join their personal laptops to an overarching AD 
domain. They don't want everyone who has ever volunteered in this lab 
for 3 weeks to have a login on their home laptop. No-one wants to be a 
part of an AD domain and it would be a HUGE security failure to do so. 
Imagine if as a student to work for a few months in a lab you had to 
make 100 copies of your front door key, and they would be handed out to 
anyone who had ever worked in this lab in the past 15 years? Same idea.

What they want, is to get a ticket from a KDC and use it to prove 
they're authorized to connect to an SMB server. They have kerberos set 
up and can get the tickets.

This worked 100% fine for 15 years. Now it doesn't. I'm fine with 
altering my configuration as needed to make it work now. What should I 
do? It's a huge regression if this fails to work anymore.

Does anyone have an idea?