samba - Apr 2023 - Is LDAP + Kerberos without Active Directory no longer supported?

On 13/04/2023 22:42, Daniel Lakeland via samba wrote:
> On 4/13/23 14:15, Rowland Penny via samba wrote:
>>
>>
>>
>>>
>>> security = user is the config that used to work before the upgrade.
>>
>> The Samba daemon smbd before 4.8.0 could connect to AD (or in this 
>> case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind 
>> and has to be joined to the domain/kerberos realm.
>>
>> You appear to be running a workgroup, but in the manner of a domain, 
>> perhaps you should run it as a workgroup, you will then find out why 
>> AD domains replaced them. 
> 
> I'd like to reiterate, literally none of these people, many of whom are
> volunteers, want to join their personal laptops to an overarching AD 
> domain. They don't want everyone who has ever volunteered in this lab 
> for 3 weeks to have a login on their home laptop. No-one wants to be a 
> part of an AD domain and it would be a HUGE security failure to do so. 
> Imagine if as a student to work for a few months in a lab you had to 
> make 100 copies of your front door key, and they would be handed out to 
> anyone who had ever worked in this lab in the past 15 years? Same idea.
> 
> What they want, is to get a ticket from a KDC and use it to prove 
> they're authorized to connect to an SMB server. They have kerberos set 
> up and can get the tickets.
> 
> This worked 100% fine for 15 years. Now it doesn't. I'm fine with 
> altering my configuration as needed to make it work now. What should I 
> do? It's a huge regression if this fails to work anymore.
> 
> Does anyone have an idea?
> 
> 
> 
This is a very unusual way of doing things and has been superseded by 
AD, but I wonder if it can be made to work ? Perhaps it is just an 
authentication problem, Your users will need to exist in a kerberos 
database and the computer will have to know where to find them. Do you 
have libnss-windbind libpam-winbind and libpam-krb5 installed ?

After that, I am lost, as I said, you are running a workgroup as a 
domain, without actually being a domain.

One problem is that you are running ldap, this usually means lots of 
users and the best to deal with lots of users is a domain.

Rowland

Ok after installing libpam-winbind etc I had someone try to connect from 
a MacOS and they got:


[2023/04/13 15:50:50.002773,? 1] 
../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
 ? auth3_generate_session_info_pac: Unexpected PAC for 
[testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
[2023/04/13 15:50:50.002891,? 3] 
../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
 ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
status[NT_STATUS_BAD_TOKEN_TYPE] || at 
../../source3/smbd/smb2_sesssetup.c:147
[2023/04/13 15:50:59.914944,? 3] 
../../source3/smbd/server_exit.c:229(exit_server_common)
 ? Server exit (NT_STATUS_END_OF_FILE)

So it looks like her mac tried to use her Kerberos identity but the 
Samba daemon didn't like that because "in standalone mode"

the samba settings during this test were:


security = user
realm = OURREALM.REALM
kerberos method = system keytab

server role = standalone server