Rowland Penny
2023-Apr-14 17:20 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 14/04/2023 17:48, Daniel Lakeland via samba wrote:> On 4/14/23 09:16, Rowland Penny via samba wrote: >> >> >> This intrigued me, so I went and tried this and you need three computers: >> >> A samba AD DC (perhaps a computer just running a KDC, but I didn't try >> this) >> A Samba Unix domain member running as a fileserver >> A Samba Standalone server as the client > > The problem is that number 2 here is talking to an AD DC, what I want is > number 2 here is talking to a KDC.Whatever happens, you are going to have to join a computer to a KDC, I just used what I know as a proof of concept. The problem, as far as I could see, is that the fileserver has to have a 'cifs' SPN and I could only get this on a joined computer. I could get a kerberos ticket on the client from the AD DC (KDC), but couldn't do anything with it, because of the lack of the cifs SPN.> > How do I make the unix samba server authenticate the client without an > AD but with a simple KDC?No idea, I have no use for such a set up, so have never tried. I think, unless someone has already done what you require, you may be on your own.> > What I'm getting from this conversation is "Samba dropped the ability to > authenticate to a KDC which is not an AD DC" but no-one seems to be able > to confirm or deny this or provide settings which I should try to test > this. It appears that after 30 years Microsoft's strategy of "Embrace, > Extend, and Extinguish" is complete... >I wasn't even aware that this was possible until you said it had stopped working, so have no idea just why it stopped working. If you can identify just when it stopped working and, better still, why, you will stand a chance of getting it fixed. As for Microsoft, it is a very different beast now compared with 30 years ago. Rowland
Daniel Lakeland
2023-Apr-14 17:33 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/14/23 10:20, Rowland Penny via samba wrote:> > > On 14/04/2023 17:48, Daniel Lakeland via samba wrote: >> On 4/14/23 09:16, Rowland Penny via samba wrote: >>> >>> >>> This intrigued me, so I went and tried this and you need three >>> computers: >>> >>> A samba AD DC (perhaps a computer just running a KDC, but I didn't >>> try this) >>> A Samba Unix domain member running as a fileserver >>> A Samba Standalone server as the client >> >> The problem is that number 2 here is talking to an AD DC, what I want >> is number 2 here is talking to a KDC. > > Whatever happens, you are going to have to join a computer to a KDC, I > just used what I know as a proof of concept. > The problem, as far as I could see, is that the fileserver has to have > a 'cifs' SPN and I could only get this on a joined computer. I could > get a kerberos ticket on the client from the AD DC (KDC), but couldn't > do anything with it, because of the lack of the cifs SPN. >The Samba Unix file server **is** joined to a KDC And yes there's a cifs/my.server.name principal in the keytab, and has been for 15 years.> I wasn't even aware that this was possible until you said it had > stopped working, so have no idea just why it stopped working. If you > can identify just when it stopped working and, better still, why, you > will stand a chance of getting it fixed. As for Microsoft, it is a > very different beast now compared with 30 years ago. >My strong impression is it stopped working as soon as samba moved to using winbind as a response to some security concerns linked in the original post. The issues aren't with the client, it's with the Samba server being unable to check the ticket, apparently because "checking the ticket" has been outsourced to winbindd and winbindd only knows about checking tickets from AD because it requires SIDs etc. There is no "standalone with kerberos" mode as far as I can tell? I'm hoping someone will correct me on this and tell me that I can configure winbindd or samba in some way so that it understands that it's "standalone with kerberos". But it's looking more and more like the solution is to upgrade the 3-4 windows client machines involved to Win 10 Pro and use NFS4 on win and mac
Ralph Boehme
2023-Apr-14 17:37 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/14/23 19:20, Rowland Penny via samba wrote:> > > On 14/04/2023 17:48, Daniel Lakeland via samba wrote: >> On 4/14/23 09:16, Rowland Penny via samba wrote: >>> >>> >>> This intrigued me, so I went and tried this and you need three >>> computers: >>> >>> A samba AD DC (perhaps a computer just running a KDC, but I didn't >>> try this) >>> A Samba Unix domain member running as a fileserver >>> A Samba Standalone server as the client >> >> The problem is that number 2 here is talking to an AD DC, what I want >> is number 2 here is talking to a KDC. > > Whatever happens, you are going to have to join a computer to a KDC, I > just used what I know as a proof of concept. > The problem, as far as I could see, is that the fileserver has to have a > 'cifs' SPN and I could only get this on a joined computer. I could get a > kerberos ticket on the client from the AD DC (KDC), but couldn't do > anything with it, because of the lack of the cifs SPN. > >> >> How do I make the unix samba server authenticate the client without an >> AD but with a simple KDC? > > No idea, I have no use for such a set up, so have never tried. I think, > unless someone has already done what you require, you may be on your own.this has been a quite common setup in certain environment. Iirc it should still work. Iirc when we applied security hardening recently we change to reject service tickets with a PAC when we're running in security=user mode, but the details escape my mind. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230414/9141c2b1/OpenPGP_signature.sig>
Maybe Matching Threads
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?