Daniel Lakeland
2023-Apr-14 16:02 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/14/23 02:47, Christian Naumer via samba wrote:> We are only talking about joining your server to your REALM not the > clients. > > It is possible to do this. See this example for FreeIPA: > > https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview > > > But as you can see it is more complicated that just joining a Windows > domain. > > I think you should be able to do this with pam_krb and the nss IDMAP > backend. But you will have to setup the keytab of your server etc.Can you suggest how? Remember, the server is a member of the Kerberos realm already (and has been for 15 years), everyone can ssh into it using kerberos keys, you can NFS4 to it with Kerberos keys, and it has LDAP through 389-ds so that the users are unified across all the Linux machines. It runs sssd and sssd provides pam_sss which uses Kerberos. Kerberos and a keytab and all of that works fine. Also, Samba worked fine since 2008 when this was all set up and has been maintained continuously, until the upgrade. Now we can't figure out if there is any way for us to tell Samba to "don't worry about the AD extensions to LDAP and Kerberos, with SIDs and etc, just check the Kerberos ticket and let the user access the files if the user is an authentic unix user" Any help would be appreciated. I'm beginning to suspect this functionality was lost. What it comes down to is, what combination of Samba smb.conf settings should I try?
Rowland Penny
2023-Apr-14 16:16 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 14/04/2023 17:02, Daniel Lakeland via samba wrote:> On 4/14/23 02:47, Christian Naumer via samba wrote: >> We are only talking about joining your server to your REALM not the >> clients. >> >> It is possible to do this. See this example for FreeIPA: >> >> https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview >> >> But as you can see it is more complicated that just joining a Windows >> domain. >> >> I think you should be able to do this with pam_krb and the nss IDMAP >> backend. But you will have to setup the keytab of your server etc. > > > Can you suggest how? Remember, the server is a member of the Kerberos > realm already (and has been for 15 years), everyone can ssh into it > using kerberos keys, you can NFS4 to it with Kerberos keys, and it has > LDAP through 389-ds so that the users are unified across all the Linux > machines. It runs sssd and sssd provides pam_sss which uses Kerberos. > Kerberos and a keytab and all of that works fine. Also, Samba worked > fine since 2008 when this was all set up and has been maintained > continuously, until the upgrade. Now we can't figure out if there is any > way for us to tell Samba to "don't worry about the AD extensions to LDAP > and Kerberos, with SIDs and etc, just check the Kerberos ticket and let > the user access the files if the user is an authentic unix user" > > Any help would be appreciated. I'm beginning to suspect this > functionality was lost. > > What it comes down to is, what combination of Samba smb.conf settings > should I try?This intrigued me, so I went and tried this and you need three computers: A samba AD DC (perhaps a computer just running a KDC, but I didn't try this) A Samba Unix domain member running as a fileserver A Samba Standalone server as the client You can get a kerberos ticket on the client and then use this to connect to a share on the fileserver, which is as far as I went, it worked. A very lot of work for very little return and I cannot be sure how fragile it will be. Rowland
Christian Naumer
2023-Apr-14 18:20 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Am 14.04.23 um 18:02 schrieb Daniel Lakeland via samba:> Any help would be appreciated. I'm beginning to suspect this > functionality was lost.There where some people that posted here with the same Problem. I have never done this. So everything from here is just "having an educated guess". If you look at the link I posted, there is a smb.conf given. I would take that as a starting point an leave out IPA where possible. There idmap backend = sss is given. Does that exist on Debian? If not idmap nss should work for you. What I also think is important is: dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab and # We force 'member server' role to allow winbind automatically # discover what is supported by the domain controller side server role = member server realm = IPA.REALM netbios name = ${machine_name} workgroup = ${netbios_name} Apparently FreeIPA also has something like SID. Does your REALM have something like that? In the mean time I tried to find some examples I found this (where you also posted) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001053 This says two things other have this working with Samba >4.8 (4.13 in the Bug report) which means it should work for you (expect for this Bug). There are also some smb.conf given in that report. Don't know if the above will help you... Regards Christian
Seemingly Similar Threads
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?