samba - Mar 2022 - stand-alone server with ldap-auth without AD

Can you provide a little more information?


You want to setup a Samba server.???? Some of the clients have machines 
that they don't want to join to the domain but they still want to access 
resources on your server??? Presumably these are file shares ?

It seems to me that regardless of whether your server is joined to a 
domain, or is standalone, or has to access some other authentication 
server,??? that the client users still need accounts to connect to your 
server.


In the past I have setup Samba as "NT4" style domain controllers with
an
LDAP backend.????? This then adds the overhead of managing an LDAP server.



On 3/23/2022 7:25 AM, lists--- via samba wrote:
> Hi,
>
> is possible to configure a stand-alone samba server with 
> authentification versus a readonly ldap (proxy) using 'passdb backend 
> = ldapsam', sssd or winbindd, or something else, but not setting-up or 
> joining an AD. Reason for this: ~30% of the computers using that 
> samba-services are private computers, who's owners don't want to
join
> an AD.
>
> Thanks in advance!
>
> Cheers,
> Torsten
>

Am 23.03.2022 um 13:07 schrieb Gaiseric Vandal via samba:> Can you 
provide a little more information?
Sure - sorry!

System itself: Debian Bullseye
ldap:~# smbd -V
Version 4.13.13-Debian
ldap:~#
> You want to setup a Samba server.     Some of the clients have machines 
> that they don't want to join to the domain but they still want to
access
> resources on your server?   Presumably these are file shares ?
Yes, they are and that's the idea ...
> It seems to me that regardless of whether your server is joined to a 
> domain, or is standalone, or has to access some other authentication 
> server,    that the client users still need accounts to connect to your 
> server.
We are a Chair at a german university, and have a read-only access to 
the universities central LDAP - not to every object, but to all which 
belong to our chair. There are accounts for each member of the 
university, employees, students, scientists, scientific guests, etc., 
and they are managed centrally.
All of 'our users' should have access to network-shares, provided by
samba.
As most of the students use their own (private) laptop, they don't want 
to join the system to any AD ...
> In the past I have setup Samba as "NT4" style domain controllers
with an
> LDAP backend.      This then adds the overhead of managing an LDAP server.
If that is suitable enough for such an enviroment, I'd be fine with it.

But, to be honest, I have no idea how to configure samba to handle the 
user-auth versus ldap - I always get error messages like this when 
trying to access a share, and type-in an username and password:
[2022/03/23 14:54:06.343084,  0] 
../../source3/auth/auth_winbind.c:120(check_winbind_security)
   check_winbind_security: winbindd not running - but required as domain 
member: NT_STATUS_NO_LOGON_SERVERS

nmbd gives an error:
Mar 23 15:08:27 ldap systemd[1]: Started Samba NMB Daemon.
Mar 23 15:08:27 ldap nmbd[916]:   daemon_ready: daemon 'nmbd' finished 
starting up and ready to serve connections
Mar 23 15:08:27 ldap nmbd[916]: [2022/03/23 15:08:27.633290,  0] 
../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
Mar 23 15:08:27 ldap nmbd[916]:   query_name_response: Multiple (2) 
responses received for a query on subnet 10.147.166.5 for name AFP<1d>.
Mar 23 15:08:27 ldap nmbd[916]:   This response was from IP 
10.147.166.2, reporting an IP address of 10.147.166.2.
(10.147.166.2 is just another stand-alone-system on the net)

While smbd seems to start fine:
Mar 23 15:08:23 ldap systemd[1]: Started Samba SMB Daemon.
Mar 23 15:08:24 ldap smbd[909]: [2022/03/23 15:08:24.001867,  0] 
../../lib/util/become_daemon.c:135(daemon_ready)
Mar 23 15:08:24 ldap smbd[909]:   daemon_ready: daemon 'smbd' finished 
starting up and ready to serve connections

So, I guess I either misunderstood something, or mixed something in smb.conf

Here it is:
[global]
workgroup = AFP
server string = %h
security = user
domain master = No
dns proxy = no
syslog only = no
syslog = 5
log file = /var/log/samba/log.%m
max log size = 1000
encrypt passwords = true
wins server = 10.147.166.2
ldap ssl = no
idmap config DOMAIN : backend = sss
idmap config DOMAIN : range = 10000-20000
winbind refresh tickets = yes
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = no
guest account = nobody
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#printing = cups
#printcap name = cups
interfaces = 10.147.166.5/255.255.255.128 127.0.0.1/255.0.0.0
admin users = USERID
unix charset = UTF-8
dos charset = cp1252
time server = Yes
#logon path #logon home = \\%L\%u
use sendfile = No
os level = 25
wide links = No
unix extensions = yes
map archive = No
delete readonly = Yes
case sensitive = auto
mangled names = no
unix password sync = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[public]
path = /srv/public
read only = yes
guest ok = yes
> On 3/23/2022 7:25 AM, lists--- via samba wrote:
>> Hi,
>>
>> is possible to configure a stand-alone samba server with 
>> authentification versus a readonly ldap (proxy) using 'passdb
backend
>> = ldapsam', sssd or winbindd, or something else, but not setting-up
or
>> joining an AD. Reason for this: ~30% of the computers using that 
>> samba-services are private computers, who's owners don't want
to join
>> an AD.
>>
>> Thanks in advance!
>>
>> Cheers,
>> Torsten
>>
>