samba - Feb 2021 - LDAP + Keytab without requiring administrator logins

Apologies for the duplicated email, replying back to the mailing list as
well:

Thanks for the response!
> As far as I am aware, only Administrator can join computers.
So if I'm understanding correctly, in order to utilize the LDAP server I
need to initialize the secrets.tdb with Administrator credentials?
> Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0
I don't know if I've explained appropriately here, but sssd is providing
authentication and winbind is running allowing AD/LDAP users to mount
shares. We've found this method to work well for AD and LDAP, but are
having trouble with this particular challenge of allowing LDAP users to
mount shares without requiring the samba server to have LDAP admin
credentials, using only a fully provisioned and valid keytab.
> Why are you setting it to ldapsam ?
We want users to be resolved over LDAP, I'm under the impression from
reading the documentation and testing that this setting is required to
allow ldap users to mount shares.

>From the documentation, the kerberos method setting seems to imply that the
secrets.tdb does not need to be initialized
<https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD>
and
only a valid keytab (which we have) is required. No matter the setting, it
will complain that it cannot find the LDAP credentials in secrets.tdb, even
when it is configured not to use it.

Christian

On Tue, Feb 2, 2021 at 2:17 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 02/02/2021 09:46, Christian Kuntz via samba wrote:
> > Hi all!
> >
> > I'm currently running Debian Buster with samba version
> 4.9.5+dfsg-5+deb10u1
> > and trying to configure my setup to require only a keytab file and no
> > administrator login information to accommodate for automated smb
> > provisioning.
>
>
> As far as I am aware, only Administrator can join computers.
>
>
> >
> >
> >
> > I've confirmed with kerberos and sssd
>
>
> Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0
>
> >   that I have a connection to the
> > server and can acquire the tgt, but ultimately starting the service
> always
> > fails with this message so long as I set the passdb to ldapsam.
>
>
> Why are you setting it to ldapsam ?
>
>
> >
> > Is this something that's supported by samba and I'm missing or
have bad
> > configs, or is this just not something that's supported? You can
find
> > testparm/config information below.
> >
>
> The use of sssd with Samba >= 4.8.0 isn't supported, you must use
> winbind if you want shares, if you only required authentication, use
> sssd by itself.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 2021-02-02 at 16:44 -0800, Christian Kuntz via samba
wrote:
> > Why are you setting it to ldapsam ?
> 
> 
> We want users to be resolved over LDAP, I'm under the impression from
> 
> reading the documentation and testing that this setting is required
> to
> 
> allow ldap users to mount shares.
I would warn you that you are in a very niche use case.  I take it that
you are setting up a standalone file server in a not-AD domain that
accepts kerberos credentials issued by a 'MIT' (or Heimdal) KDC for
Unix clients.

In that case, if you have no NTLM clients then perhaps you don't need
ldapsam, and want to instead just directly map onto the nsswitch-
provided users.  Note that many other things (like group mapping) also
won't work.

If any of this is not true, and you are using AD DC, then please join
the AD domain as per the typical instructions.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

On 03/02/2021 00:44, Christian Kuntz wrote:
> Apologies for the duplicated email, replying back to the mailing list 
> as well:
>
> Thanks for the response!
>
> > As far as I am aware, only Administrator can join computers.
>
> So if I'm understanding correctly, in order to utilize the LDAP server 
> I need to initialize the secrets.tdb with Administrator credentials?

 From my testing, yes. If you want to automate joining Samba to a 
domain, you need a keytab containing Administrators keys.
>
> > Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0
>
> I don't know if I've explained appropriately here, but sssd is 
> providing authentication and winbind is running allowing AD/LDAP users 
> to mount shares. We've found this method to work well for AD and LDAP, 
> but are having trouble with this particular challenge of allowing LDAP 
> users to mount shares without requiring the samba server to have LDAP 
> admin credentials,?using only a fully provisioned and valid keytab.

You don't understand, if you want to run Samba as a Unix domain member 
you cannot run sssd, they both have their own versions of the Samba 
winbind libs. Having to run winbind started from Samba 4.8.0, from that 
version, no one (including red-hat) supports the use use of sssd with 
Samba. You can use sssd without Samba for authentication, you just 
cannot use sssd with Samba.
>
> > Why are you setting it to ldapsam ?
>
> We want users to be resolved over LDAP, I'm under the impression from 
> reading the documentation and testing that this setting is required to 
> allow ldap users to mount shares.

I do not know where you are getting that idea from, perhaps you could 
provide links to the documentation you have read.
>
>
> From the documentation, the kerberos method setting seems to imply 
> that the secrets.tdb does not need to be initialized 
>
<https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD>?and
> only a valid keytab (which we have) is required. No matter the 
> setting, it will complain that it cannot find the LDAP credentials in 
> secrets.tdb, even when it is configured not to use it.

Your problem is that you are confusing the keytab that Samba will use 
after the join, with the keytab that is required to join the computer to 
the domain.

Rowland