samba - Apr 2023 - Is LDAP + Kerberos without Active Directory no longer supported?

On 14/04/2023 17:02, Daniel Lakeland via samba wrote:
> On 4/14/23 02:47, Christian Naumer via samba wrote:
>> We are only talking about joining your server to your REALM not the 
>> clients.
>>
>> It is possible to do this. See this example for FreeIPA:
>>
>>
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview
>>
>> But as you can see it is more complicated that just joining a Windows 
>> domain.
>>
>> I think you should be able to do this with pam_krb and the nss IDMAP 
>> backend. But you will have to setup the keytab of your server etc.
> 
> 
> Can you suggest how? Remember, the server is a member of the Kerberos 
> realm already (and has been for 15 years), everyone can ssh into it 
> using kerberos keys, you can NFS4 to it with Kerberos keys, and it has 
> LDAP through 389-ds so that the users are unified across all the Linux 
> machines. It runs sssd and sssd provides pam_sss which uses Kerberos. 
> Kerberos and a keytab and all of that works fine. Also, Samba worked 
> fine since 2008 when this was all set up and has been maintained 
> continuously, until the upgrade. Now we can't figure out if there is
any
> way for us to tell Samba to "don't worry about the AD extensions
to LDAP
> and Kerberos, with SIDs and etc, just check the Kerberos ticket and let 
> the user access the files if the user is an authentic unix user"
> 
> Any help would be appreciated. I'm beginning to suspect this 
> functionality was lost.
> 
> What it comes down to is, what combination of Samba smb.conf settings 
> should I try?
This intrigued me, so I went and tried this and you need three computers:

A samba AD DC (perhaps a computer just running a KDC, but I didn't try this)
A Samba Unix domain member running as a fileserver
A Samba Standalone server as the client

You can get a kerberos ticket on the client and then use this to connect 
to a share on the fileserver, which is as far as I went, it worked.

A very lot of work for very little return and I cannot be sure how 
fragile it will be.

Rowland

On 4/14/23 09:16, Rowland Penny via samba wrote:
>
>
> This intrigued me, so I went and tried this and you need three computers:
>
> A samba AD DC (perhaps a computer just running a KDC, but I didn't try 
> this)
> A Samba Unix domain member running as a fileserver
> A Samba Standalone server as the client
The problem is that number 2 here is talking to an AD DC, what I want is 
number 2 here is talking to a KDC.

How do I make the unix samba server authenticate the client without an 
AD but with a simple KDC?

What I'm getting from this conversation is "Samba dropped the ability
to
authenticate to a KDC which is not an AD DC" but no-one seems to be able 
to confirm or deny this or provide settings which I should try to test 
this. It appears that after 30 years Microsoft's strategy of "Embrace, 
Extend, and Extinguish" is complete...