Rowland penny
2021-Feb-03 09:56 UTC
[Samba] LDAP + Keytab without requiring administrator logins
On 03/02/2021 00:44, Christian Kuntz wrote:> Apologies for the duplicated email, replying back to the mailing list > as well: > > Thanks for the response! > > > As far as I am aware, only Administrator can join computers. > > So if I'm understanding correctly, in order to utilize the LDAP server > I need to initialize the secrets.tdb with Administrator credentials?From my testing, yes. If you want to automate joining Samba to a domain, you need a keytab containing Administrators keys.> > > Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0 > > I don't know if I've explained appropriately here, but sssd is > providing authentication and winbind is running allowing AD/LDAP users > to mount shares. We've found this method to work well for AD and LDAP, > but are having trouble with this particular challenge of allowing LDAP > users to mount shares without requiring the samba server to have LDAP > admin credentials,?using only a fully provisioned and valid keytab.You don't understand, if you want to run Samba as a Unix domain member you cannot run sssd, they both have their own versions of the Samba winbind libs. Having to run winbind started from Samba 4.8.0, from that version, no one (including red-hat) supports the use use of sssd with Samba. You can use sssd without Samba for authentication, you just cannot use sssd with Samba.> > > Why are you setting it to ldapsam ? > > We want users to be resolved over LDAP, I'm under the impression from > reading the documentation and testing that this setting is required to > allow ldap users to mount shares.I do not know where you are getting that idea from, perhaps you could provide links to the documentation you have read.> > > From the documentation, the kerberos method setting seems to imply > that the secrets.tdb does not need to be initialized > <https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD>?and > only a valid keytab (which we have) is required. No matter the > setting, it will complain that it cannot find the LDAP credentials in > secrets.tdb, even when it is configured not to use it.Your problem is that you are confusing the keytab that Samba will use after the join, with the keytab that is required to join the computer to the domain. Rowland
Christian Kuntz
2021-Feb-03 18:57 UTC
[Samba] LDAP + Keytab without requiring administrator logins
Thanks for your responses and all the information.>From what I'm reading, I should replace what I'm doing with sssd withwinbind. Thanks for the clarification and I'll get started on that! To return to my original question; is it possible to initialize the secrets.tdb (I believe it stores the keytab required to join the domain by what we have discussed) in a way that allows the machine to join an LDAP domain without providing it with full credentials (User/Pass)? Best, Christian On Wed, Feb 3, 2021 at 1:56 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 03/02/2021 00:44, Christian Kuntz wrote: > > Apologies for the duplicated email, replying back to the mailing list > > as well: > > > > Thanks for the response! > > > > > As far as I am aware, only Administrator can join computers. > > > > So if I'm understanding correctly, in order to utilize the LDAP server > > I need to initialize the secrets.tdb with Administrator credentials? > > > From my testing, yes. If you want to automate joining Samba to a > domain, you need a keytab containing Administrators keys. > > > > > > Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0 > > > > I don't know if I've explained appropriately here, but sssd is > > providing authentication and winbind is running allowing AD/LDAP users > > to mount shares. We've found this method to work well for AD and LDAP, > > but are having trouble with this particular challenge of allowing LDAP > > users to mount shares without requiring the samba server to have LDAP > > admin credentials, using only a fully provisioned and valid keytab. > > > You don't understand, if you want to run Samba as a Unix domain member > you cannot run sssd, they both have their own versions of the Samba > winbind libs. Having to run winbind started from Samba 4.8.0, from that > version, no one (including red-hat) supports the use use of sssd with > Samba. You can use sssd without Samba for authentication, you just > cannot use sssd with Samba. > > > > > > Why are you setting it to ldapsam ? > > > > We want users to be resolved over LDAP, I'm under the impression from > > reading the documentation and testing that this setting is required to > > allow ldap users to mount shares. > > > I do not know where you are getting that idea from, perhaps you could > provide links to the documentation you have read. > > > > > > > From the documentation, the kerberos method setting seems to imply > > that the secrets.tdb does not need to be initialized > > < > https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD> and > > > only a valid keytab (which we have) is required. No matter the > > setting, it will complain that it cannot find the LDAP credentials in > > secrets.tdb, even when it is configured not to use it. > > > Your problem is that you are confusing the keytab that Samba will use > after the join, with the keytab that is required to join the computer to > the domain. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >