Rowland Penny
2023-Apr-14 18:01 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 14/04/2023 18:37, Ralph Boehme via samba wrote:> On 4/14/23 19:20, Rowland Penny via samba wrote: >> >> >> On 14/04/2023 17:48, Daniel Lakeland via samba wrote: >>> On 4/14/23 09:16, Rowland Penny via samba wrote: >>>> >>>> >>>> This intrigued me, so I went and tried this and you need three >>>> computers: >>>> >>>> A samba AD DC (perhaps a computer just running a KDC, but I didn't >>>> try this) >>>> A Samba Unix domain member running as a fileserver >>>> A Samba Standalone server as the client >>> >>> The problem is that number 2 here is talking to an AD DC, what I want >>> is number 2 here is talking to a KDC. >> >> Whatever happens, you are going to have to join a computer to a KDC, I >> just used what I know as a proof of concept. >> The problem, as far as I could see, is that the fileserver has to have >> a 'cifs' SPN and I could only get this on a joined computer. I could >> get a kerberos ticket on the client from the AD DC (KDC), but couldn't >> do anything with it, because of the lack of the cifs SPN. >> >>> >>> How do I make the unix samba server authenticate the client without >>> an AD but with a simple KDC? >> >> No idea, I have no use for such a set up, so have never tried. I >> think, unless someone has already done what you require, you may be on >> your own. > > this has been a quite common setup in certain environment. Iirc it > should still work. Iirc when we applied security hardening recently we > change to reject service tickets with a PAC when we're running in > security=user mode, but the details escape my mind. > > -slow > >It may be a common setup, but it isn't one I have come across before (which doesn't mean much), but I think I have proof it should still work, but perhaps just not as it did. It doesn't help that Daniel isn't sure what version of Samba he was using and on what version of Debian (?). If we could find out these, we may be able to track down what changed and when. Rowland
Robert Schetterer
2023-Apr-14 19:49 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Am 14.04.23 um 20:01 schrieb Rowland Penny via samba:> > > On 14/04/2023 18:37, Ralph Boehme via samba wrote: >> On 4/14/23 19:20, Rowland Penny via samba wrote: >>> >>> >>> On 14/04/2023 17:48, Daniel Lakeland via samba wrote: >>>> On 4/14/23 09:16, Rowland Penny via samba wrote: >>>>> >>>>> >>>>> This intrigued me, so I went and tried this and you need three >>>>> computers: >>>>> >>>>> A samba AD DC (perhaps a computer just running a KDC, but I didn't >>>>> try this) >>>>> A Samba Unix domain member running as a fileserver >>>>> A Samba Standalone server as the client >>>> >>>> The problem is that number 2 here is talking to an AD DC, what I >>>> want is number 2 here is talking to a KDC. >>> >>> Whatever happens, you are going to have to join a computer to a KDC, >>> I just used what I know as a proof of concept. >>> The problem, as far as I could see, is that the fileserver has to >>> have a 'cifs' SPN and I could only get this on a joined computer. I >>> could get a kerberos ticket on the client from the AD DC (KDC), but >>> couldn't do anything with it, because of the lack of the cifs SPN. >>> >>>> >>>> How do I make the unix samba server authenticate the client without >>>> an AD but with a simple KDC? >>> >>> No idea, I have no use for such a set up, so have never tried. I >>> think, unless someone has already done what you require, you may be >>> on your own. >> >> this has been a quite common setup in certain environment. Iirc it >> should still work. Iirc when we applied security hardening recently we >> change to reject service tickets with a PAC when we're running in >> security=user mode, but the details escape my mind. >> >> -slow >> >> > > It may be a common setup, but it isn't one I have come across before > (which doesn't mean much), but I think I have proof it should still > work, but perhaps just not as it did. > It doesn't help that Daniel isn't sure what version of Samba he was > using and on what version of Debian (?). If we could find out these, we > may be able to track down what changed and when. > > Rowland >FYI perhaps involved Microsoft crashed a lot of Linux Kerberos machines at my AD site by an update in November 2022 learn.microsoft.com/en-us/windows/release-health/resolved-issues-windows-server-2022#2953msgdesc they fixed it later with learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961 -- [*] sys4 AG sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG, 80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Daniel Lakeland
2023-Apr-14 19:52 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/14/23 11:01, Rowland Penny via samba wrote:> > > On 14/04/2023 18:37, Ralph Boehme via samba wrote: >> >>> >> this has been a quite common setup in certain environment. Iirc it >> should still work. Iirc when we applied security hardening recently >> we change to reject service tickets with a PAC when we're running in >> security=user mode, but the details escape my mind. >> >> -slow >> >> > > It may be a common setup, but it isn't one I have come across before > (which doesn't mean much), but I think I have proof it should still > work, but perhaps just not as it did. > It doesn't help that Daniel isn't sure what version of Samba he was > using and on what version of Debian (?). If we could find out these, > we may be able to track down what changed and when.I last reported a bug to Debian with samba 4.8 so let's assume that I was using that when I had it working. I believe someone else tried with 4.13 but I had to back out of that version to get things back on track and I'm only now getting back to this.
Possibly Parallel Threads
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?
- Is LDAP + Kerberos without Active Directory no longer supported?