samba - Mar 2022 - stand-alone server with ldap-auth without AD

Am 23.03.2022 um 13:07 schrieb Gaiseric Vandal via samba:> Can you 
provide a little more information?
Sure - sorry!

System itself: Debian Bullseye
ldap:~# smbd -V
Version 4.13.13-Debian
ldap:~#
> You want to setup a Samba server.     Some of the clients have machines 
> that they don't want to join to the domain but they still want to
access
> resources on your server?   Presumably these are file shares ?
Yes, they are and that's the idea ...
> It seems to me that regardless of whether your server is joined to a 
> domain, or is standalone, or has to access some other authentication 
> server,    that the client users still need accounts to connect to your 
> server.
We are a Chair at a german university, and have a read-only access to 
the universities central LDAP - not to every object, but to all which 
belong to our chair. There are accounts for each member of the 
university, employees, students, scientists, scientific guests, etc., 
and they are managed centrally.
All of 'our users' should have access to network-shares, provided by
samba.
As most of the students use their own (private) laptop, they don't want 
to join the system to any AD ...
> In the past I have setup Samba as "NT4" style domain controllers
with an
> LDAP backend.      This then adds the overhead of managing an LDAP server.
If that is suitable enough for such an enviroment, I'd be fine with it.

But, to be honest, I have no idea how to configure samba to handle the 
user-auth versus ldap - I always get error messages like this when 
trying to access a share, and type-in an username and password:
[2022/03/23 14:54:06.343084,  0] 
../../source3/auth/auth_winbind.c:120(check_winbind_security)
   check_winbind_security: winbindd not running - but required as domain 
member: NT_STATUS_NO_LOGON_SERVERS

nmbd gives an error:
Mar 23 15:08:27 ldap systemd[1]: Started Samba NMB Daemon.
Mar 23 15:08:27 ldap nmbd[916]:   daemon_ready: daemon 'nmbd' finished 
starting up and ready to serve connections
Mar 23 15:08:27 ldap nmbd[916]: [2022/03/23 15:08:27.633290,  0] 
../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
Mar 23 15:08:27 ldap nmbd[916]:   query_name_response: Multiple (2) 
responses received for a query on subnet 10.147.166.5 for name AFP<1d>.
Mar 23 15:08:27 ldap nmbd[916]:   This response was from IP 
10.147.166.2, reporting an IP address of 10.147.166.2.
(10.147.166.2 is just another stand-alone-system on the net)

While smbd seems to start fine:
Mar 23 15:08:23 ldap systemd[1]: Started Samba SMB Daemon.
Mar 23 15:08:24 ldap smbd[909]: [2022/03/23 15:08:24.001867,  0] 
../../lib/util/become_daemon.c:135(daemon_ready)
Mar 23 15:08:24 ldap smbd[909]:   daemon_ready: daemon 'smbd' finished 
starting up and ready to serve connections

So, I guess I either misunderstood something, or mixed something in smb.conf

Here it is:
[global]
workgroup = AFP
server string = %h
security = user
domain master = No
dns proxy = no
syslog only = no
syslog = 5
log file = /var/log/samba/log.%m
max log size = 1000
encrypt passwords = true
wins server = 10.147.166.2
ldap ssl = no
idmap config DOMAIN : backend = sss
idmap config DOMAIN : range = 10000-20000
winbind refresh tickets = yes
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = no
guest account = nobody
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#printing = cups
#printcap name = cups
interfaces = 10.147.166.5/255.255.255.128 127.0.0.1/255.0.0.0
admin users = USERID
unix charset = UTF-8
dos charset = cp1252
time server = Yes
#logon path #logon home = \\%L\%u
use sendfile = No
os level = 25
wide links = No
unix extensions = yes
map archive = No
delete readonly = Yes
case sensitive = auto
mangled names = no
unix password sync = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[public]
path = /srv/public
read only = yes
guest ok = yes
> On 3/23/2022 7:25 AM, lists--- via samba wrote:
>> Hi,
>>
>> is possible to configure a stand-alone samba server with 
>> authentification versus a readonly ldap (proxy) using 'passdb
backend
>> = ldapsam', sssd or winbindd, or something else, but not setting-up
or
>> joining an AD. Reason for this: ~30% of the computers using that 
>> samba-services are private computers, who's owners don't want
to join
>> an AD.
>>
>> Thanks in advance!
>>
>> Cheers,
>> Torsten
>>
>

You need to have an account on the LDAP server that samba can use to 
read user information including the Windows password field. ? ?? Then 
you need to configure smb.conf with the server name, the search path, 
the ldap name and password.

I think what is going to be a problem is that the "NT4" Windows
password
requires a separate password field than the regular LDAP password, and 
keeping the 2 in sync will be a challenge. ? ? The client machines will 
be sending a hash of the user password to the server (rather than 
"plaintext" password over TLS.) ? ?? In fact the schema on the LDAP 
server may need to be extended.





On 3/23/22 10:18, lists--- via samba wrote:
> Am 23.03.2022 um 13:07 schrieb Gaiseric Vandal via samba:> Can you 
> provide a little more information?
> Sure - sorry!
>
> System itself: Debian Bullseye
> ldap:~# smbd -V
> Version 4.13.13-Debian
> ldap:~#
>> You want to setup a Samba server.???? Some of the clients have 
>> machines that they don't want to join to the domain but they still 
>> want to access resources on your server? Presumably these are file 
>> shares ?
> Yes, they are and that's the idea ...
>> It seems to me that regardless of whether your server is joined to a 
>> domain, or is standalone, or has to access some other authentication 
>> server,??? that the client users still need accounts to connect to 
>> your server.
>
> We are a Chair at a german university, and have a read-only access to 
> the universities central LDAP - not to every object, but to all which 
> belong to our chair. There are accounts for each member of the 
> university, employees, students, scientists, scientific guests, etc., 
> and they are managed centrally.
> All of 'our users' should have access to network-shares, provided
by
> samba.
> As most of the students use their own (private) laptop, they don't 
> want to join the system to any AD ...
>
>> In the past I have setup Samba as "NT4" style domain
controllers with
>> an LDAP backend.????? This then adds the overhead of managing an LDAP 
>> server.
> If that is suitable enough for such an enviroment, I'd be fine with it.
>
> But, to be honest, I have no idea how to configure samba to handle the 
> user-auth versus ldap - I always get error messages like this when 
> trying to access a share, and type-in an username and password:
> [2022/03/23 14:54:06.343084,? 0] 
> ../../source3/auth/auth_winbind.c:120(check_winbind_security)
> ? check_winbind_security: winbindd not running - but required as 
> domain member: NT_STATUS_NO_LOGON_SERVERS
>
> nmbd gives an error:
> Mar 23 15:08:27 ldap systemd[1]: Started Samba NMB Daemon.
> Mar 23 15:08:27 ldap nmbd[916]:?? daemon_ready: daemon 'nmbd'
finished
> starting up and ready to serve connections
> Mar 23 15:08:27 ldap nmbd[916]: [2022/03/23 15:08:27.633290,? 0] 
> ../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
> Mar 23 15:08:27 ldap nmbd[916]:?? query_name_response: Multiple (2) 
> responses received for a query on subnet 10.147.166.5 for name
AFP<1d>.
> Mar 23 15:08:27 ldap nmbd[916]:?? This response was from IP 
> 10.147.166.2, reporting an IP address of 10.147.166.2.
> (10.147.166.2 is just another stand-alone-system on the net)
>
> While smbd seems to start fine:
> Mar 23 15:08:23 ldap systemd[1]: Started Samba SMB Daemon.
> Mar 23 15:08:24 ldap smbd[909]: [2022/03/23 15:08:24.001867,? 0] 
> ../../lib/util/become_daemon.c:135(daemon_ready)
> Mar 23 15:08:24 ldap smbd[909]:?? daemon_ready: daemon 'smbd'
finished
> starting up and ready to serve connections
>
> So, I guess I either misunderstood something, or mixed something in 
> smb.conf
>
> Here it is:
> [global]
> workgroup = AFP
> server string = %h
> security = user
> domain master = No
> dns proxy = no
> syslog only = no
> syslog = 5
> log file = /var/log/samba/log.%m
> max log size = 1000
> encrypt passwords = true
> wins server = 10.147.166.2
> ldap ssl = no
> idmap config DOMAIN : backend = sss
> idmap config DOMAIN : range = 10000-20000
> winbind refresh tickets = yes
> winbind use default domain = yes
> winbind offline logon = false
> winbind enum users = yes
> winbind enum groups = yes
> obey pam restrictions = no
> guest account = nobody
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> #printing = cups
> #printcap name = cups
> interfaces = 10.147.166.5/255.255.255.128 127.0.0.1/255.0.0.0
> admin users = USERID
> unix charset = UTF-8
> dos charset = cp1252
> time server = Yes
> #logon path > #logon home = \\%L\%u
> use sendfile = No
> os level = 25
> wide links = No
> unix extensions = yes
> map archive = No
> delete readonly = Yes
> case sensitive = auto
> mangled names = no
> unix password sync = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> [public]
> path = /srv/public
> read only = yes
> guest ok = yes
>
>> On 3/23/2022 7:25 AM, lists--- via samba wrote:
>>> Hi,
>>>
>>> is possible to configure a stand-alone samba server with 
>>> authentification versus a readonly ldap (proxy) using 'passdb 
>>> backend = ldapsam', sssd or winbindd, or something else, but
not
>>> setting-up or joining an AD. Reason for this: ~30% of the computers
>>> using that samba-services are private computers, who's owners
don't
>>> want to join an AD.
>>>
>>> Thanks in advance!
>>>
>>> Cheers,
>>> Torsten
>>>
>>
>