samba - Apr 2023 - Is LDAP + Kerberos without Active Directory no longer supported?

We are only talking about joining your server to your REALM not the clients.

It is possible to do this. See this example for FreeIPA:

https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview

But as you can see it is more complicated that just joining a Windows 
domain.

I think you should be able to do this with pam_krb and the nss IDMAP 
backend. But you will have to setup the keytab of your server etc.


Regards

Christian


Am 14.04.23 um 00:55 schrieb Daniel Lakeland via samba:
> Ok after installing libpam-winbind etc I had someone try to connect from 
> a MacOS and they got:
> 
> 
> [2023/04/13 15:50:50.002773,? 1] 
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
>  ? auth3_generate_session_info_pac: Unexpected PAC for 
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891,? 3] 
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
>  ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_BAD_TOKEN_TYPE] || at 
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944,? 3] 
> ../../source3/smbd/server_exit.c:229(exit_server_common)
>  ? Server exit (NT_STATUS_END_OF_FILE)
> 
> So it looks like her mac tried to use her Kerberos identity but the 
> Samba daemon didn't like that because "in standalone mode"
> 
> the samba settings during this test were:
> 
> 
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
> 
> server role = standalone server
> 
> 
>

On 4/14/23 02:47, Christian Naumer via samba wrote:
> We are only talking about joining your server to your REALM not the 
> clients.
>
> It is possible to do this. See this example for FreeIPA:
>
>
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview
>
>
> But as you can see it is more complicated that just joining a Windows 
> domain.
>
> I think you should be able to do this with pam_krb and the nss IDMAP 
> backend. But you will have to setup the keytab of your server etc.

Can you suggest how? Remember, the server is a member of the Kerberos 
realm already (and has been for 15 years), everyone can ssh into it 
using kerberos keys, you can NFS4 to it with Kerberos keys, and it has 
LDAP through 389-ds so that the users are unified across all the Linux 
machines. It runs sssd and sssd provides pam_sss which uses Kerberos. 
Kerberos and a keytab and all of that works fine. Also, Samba worked 
fine since 2008 when this was all set up and has been maintained 
continuously, until the upgrade. Now we can't figure out if there is any 
way for us to tell Samba to "don't worry about the AD extensions to
LDAP
and Kerberos, with SIDs and etc, just check the Kerberos ticket and let 
the user access the files if the user is an authentic unix user"

Any help would be appreciated. I'm beginning to suspect this 
functionality was lost.

What it comes down to is, what combination of Samba smb.conf settings 
should I try?