samba - Apr 2023 - Is LDAP + Kerberos without Active Directory no longer supported?

Op 14-04-2023 om 00:55 schreef Daniel Lakeland via
samba:
> Ok after installing libpam-winbind etc I had someone try to connect 
> from a MacOS and they got:
>
>
> [2023/04/13 15:50:50.002773,? 1] 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
> ? auth3_generate_session_info_pac: Unexpected PAC for 
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891,? 3] 
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_BAD_TOKEN_TYPE] || at 
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944,? 3] 
> ../../source3/smbd/server_exit.c:229(exit_server_common)
> ? Server exit (NT_STATUS_END_OF_FILE)
>
> So it looks like her mac tried to use her Kerberos identity but the 
> Samba daemon didn't like that because "in standalone mode"
>
> the samba settings during this test were:
>
>
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
>
> server role = standalone server
>
>
You could try what Rowland suggests: setup AD and add the users in it.

There is no (strict) need to join the client machines, the AD-DC 
provides a KDC and a LDAP server. You can still use kinit on the clients 
to authenticate and get a ticket.

With an AD-DC and a fileserver (joined to the domain) (on separate 
machines) your scenario will work pretty much as it always did but with 
a recent Samba version.

Do you see any obstacles, Rowland?

- Kees.

On 14/04/2023 10:03, Kees van Vloten via samba wrote:
> 
> You could try what Rowland suggests: setup AD and add the users in it.
> 
> There is no (strict) need to join the client machines, the AD-DC 
> provides a KDC and a LDAP server. You can still use kinit on the clients 
> to authenticate and get a ticket.
> 
> With an AD-DC and a fileserver (joined to the domain) (on separate 
> machines) your scenario will work pretty much as it always did but with 
> a recent Samba version.
> 
> Do you see any obstacles, Rowland?
> 
> - Kees.
> 
> 
No, provided they can get a ticket from the KDC, they will get 
authentication and they will get a better supported product.

Rowland