samba - May 2023 - Setup LDAPS or other solution for ldap

On 10/05/2023 17:01, Kees van Vloten via samba wrote:
> 
> Op 10-05-2023 om 11:33 schreef matti.kaupenjohann:
>>> It will work, as long as you can authenticate either with 
>>> user/password or with kerberos you can run ldap queries. 
>> So far I understand, Kerberos can work on systems which are not a 
>> domain member, but I cannot find any instruction on how to achieve a 
>> correct setup. Most instruction beginning with setup of a KDC which 
>> makes no sense, since I already have the samba dc. The approach worked 
>> fine for my server which is already domain member. But my non domain 
>> member has kerberos not installed so the command kinit is obvious not 
>> available. What boggers me as well: Is running "sudo kinit 
>> administrator" on a non domain member really possible? How does
kinit
>> know what the DC is?
>>
>> Matti
>>
> Indeed Samba-AD-DC includes a KDC, the only thing you have to do is to 
> setup the kerberos client on the clients machines and point it to your DC.
> 
> Now you can use kinit to get a ticket.
> 
> You can also create a machine account or a service account (do set a 
> random password), export the keytab and use that on your client so that 
> services (like apache) can interact with kerberos without the machine 
> being a domain-member.
> 
> 
> - Kees.
> 
> 
As far as I remember, it was never mentioned that it was required for 
ldap searches to work on a non domain machine with kerberos, what I 
posted will work on a domain member.

If you are going down the kerberos path on a non domain joined machine, 
then you are going to need a search user in AD (with a password) and its 
keytab.

The problem with ldaps is that it doesn't really work on Samba AD and 
Kerberos is more secure.

Rowland

On Wed, 2023-05-10 at 17:20 +0100, Rowland Penny via samba
wrote:
> The problem with ldaps is that it doesn't really work on Samba AD
> and 
> 
> Kerberos is more secure.
I would not be so sweeping in that statement.  ldaps:// connections,
being LDAP over TLS and LDAP + StartTLS are supported well in Samba,
but the administrator should replace our self-signed certificate with a
real one.

It will work fine for a simple bind, and many, many sites deploy this
for 'ldap authentication' of web applications etc, but you should not
mix LDAPS and Kerberos, because the encryption layers are not
connected.

I would not however try to mimic a domain joined client and linux login
etc with this (as one might have long ago with an OpenLDAP server),
just join with Samba or sssd where it all 'just works'. 

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions