Christian Naumer
2023-Apr-14 09:47 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
We are only talking about joining your server to your REALM not the clients. It is possible to do this. See this example for FreeIPA: https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview But as you can see it is more complicated that just joining a Windows domain. I think you should be able to do this with pam_krb and the nss IDMAP backend. But you will have to setup the keytab of your server etc. Regards Christian Am 14.04.23 um 00:55 schrieb Daniel Lakeland via samba:> Ok after installing libpam-winbind etc I had someone try to connect from > a MacOS and they got: > > > [2023/04/13 15:50:50.002773,? 1] > ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac) > ? auth3_generate_session_info_pac: Unexpected PAC for > [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE > [2023/04/13 15:50:50.002891,? 3] > ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex) > ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_BAD_TOKEN_TYPE] || at > ../../source3/smbd/smb2_sesssetup.c:147 > [2023/04/13 15:50:59.914944,? 3] > ../../source3/smbd/server_exit.c:229(exit_server_common) > ? Server exit (NT_STATUS_END_OF_FILE) > > So it looks like her mac tried to use her Kerberos identity but the > Samba daemon didn't like that because "in standalone mode" > > the samba settings during this test were: > > > security = user > realm = OURREALM.REALM > kerberos method = system keytab > > server role = standalone server > > >
Daniel Lakeland
2023-Apr-14 16:02 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/14/23 02:47, Christian Naumer via samba wrote:> We are only talking about joining your server to your REALM not the > clients. > > It is possible to do this. See this example for FreeIPA: > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview > > > But as you can see it is more complicated that just joining a Windows > domain. > > I think you should be able to do this with pam_krb and the nss IDMAP > backend. But you will have to setup the keytab of your server etc.Can you suggest how? Remember, the server is a member of the Kerberos realm already (and has been for 15 years), everyone can ssh into it using kerberos keys, you can NFS4 to it with Kerberos keys, and it has LDAP through 389-ds so that the users are unified across all the Linux machines. It runs sssd and sssd provides pam_sss which uses Kerberos. Kerberos and a keytab and all of that works fine. Also, Samba worked fine since 2008 when this was all set up and has been maintained continuously, until the upgrade. Now we can't figure out if there is any way for us to tell Samba to "don't worry about the AD extensions to LDAP and Kerberos, with SIDs and etc, just check the Kerberos ticket and let the user access the files if the user is an authentic unix user" Any help would be appreciated. I'm beginning to suspect this functionality was lost. What it comes down to is, what combination of Samba smb.conf settings should I try?
Maybe Matching Threads
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?