Gaiseric Vandal
2022-Mar-23 16:53 UTC
[Samba] stand-alone server with ldap-auth without AD
You need to have an account on the LDAP server that samba can use to read user information including the Windows password field. ? ?? Then you need to configure smb.conf with the server name, the search path, the ldap name and password. I think what is going to be a problem is that the "NT4" Windows password requires a separate password field than the regular LDAP password, and keeping the 2 in sync will be a challenge. ? ? The client machines will be sending a hash of the user password to the server (rather than "plaintext" password over TLS.) ? ?? In fact the schema on the LDAP server may need to be extended. On 3/23/22 10:18, lists--- via samba wrote:> Am 23.03.2022 um 13:07 schrieb Gaiseric Vandal via samba:> Can you > provide a little more information? > Sure - sorry! > > System itself: Debian Bullseye > ldap:~# smbd -V > Version 4.13.13-Debian > ldap:~# >> You want to setup a Samba server.???? Some of the clients have >> machines that they don't want to join to the domain but they still >> want to access resources on your server? Presumably these are file >> shares ? > Yes, they are and that's the idea ... >> It seems to me that regardless of whether your server is joined to a >> domain, or is standalone, or has to access some other authentication >> server,??? that the client users still need accounts to connect to >> your server. > > We are a Chair at a german university, and have a read-only access to > the universities central LDAP - not to every object, but to all which > belong to our chair. There are accounts for each member of the > university, employees, students, scientists, scientific guests, etc., > and they are managed centrally. > All of 'our users' should have access to network-shares, provided by > samba. > As most of the students use their own (private) laptop, they don't > want to join the system to any AD ... > >> In the past I have setup Samba as "NT4" style domain controllers with >> an LDAP backend.????? This then adds the overhead of managing an LDAP >> server. > If that is suitable enough for such an enviroment, I'd be fine with it. > > But, to be honest, I have no idea how to configure samba to handle the > user-auth versus ldap - I always get error messages like this when > trying to access a share, and type-in an username and password: > [2022/03/23 14:54:06.343084,? 0] > ../../source3/auth/auth_winbind.c:120(check_winbind_security) > ? check_winbind_security: winbindd not running - but required as > domain member: NT_STATUS_NO_LOGON_SERVERS > > nmbd gives an error: > Mar 23 15:08:27 ldap systemd[1]: Started Samba NMB Daemon. > Mar 23 15:08:27 ldap nmbd[916]:?? daemon_ready: daemon 'nmbd' finished > starting up and ready to serve connections > Mar 23 15:08:27 ldap nmbd[916]: [2022/03/23 15:08:27.633290,? 0] > ../../source3/nmbd/nmbd_namequery.c:109(query_name_response) > Mar 23 15:08:27 ldap nmbd[916]:?? query_name_response: Multiple (2) > responses received for a query on subnet 10.147.166.5 for name AFP<1d>. > Mar 23 15:08:27 ldap nmbd[916]:?? This response was from IP > 10.147.166.2, reporting an IP address of 10.147.166.2. > (10.147.166.2 is just another stand-alone-system on the net) > > While smbd seems to start fine: > Mar 23 15:08:23 ldap systemd[1]: Started Samba SMB Daemon. > Mar 23 15:08:24 ldap smbd[909]: [2022/03/23 15:08:24.001867,? 0] > ../../lib/util/become_daemon.c:135(daemon_ready) > Mar 23 15:08:24 ldap smbd[909]:?? daemon_ready: daemon 'smbd' finished > starting up and ready to serve connections > > So, I guess I either misunderstood something, or mixed something in > smb.conf > > Here it is: > [global] > workgroup = AFP > server string = %h > security = user > domain master = No > dns proxy = no > syslog only = no > syslog = 5 > log file = /var/log/samba/log.%m > max log size = 1000 > encrypt passwords = true > wins server = 10.147.166.2 > ldap ssl = no > idmap config DOMAIN : backend = sss > idmap config DOMAIN : range = 10000-20000 > winbind refresh tickets = yes > winbind use default domain = yes > winbind offline logon = false > winbind enum users = yes > winbind enum groups = yes > obey pam restrictions = no > guest account = nobody > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > #printing = cups > #printcap name = cups > interfaces = 10.147.166.5/255.255.255.128 127.0.0.1/255.0.0.0 > admin users = USERID > unix charset = UTF-8 > dos charset = cp1252 > time server = Yes > #logon path > #logon home = \\%L\%u > use sendfile = No > os level = 25 > wide links = No > unix extensions = yes > map archive = No > delete readonly = Yes > case sensitive = auto > mangled names = no > unix password sync = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > [public] > path = /srv/public > read only = yes > guest ok = yes > >> On 3/23/2022 7:25 AM, lists--- via samba wrote: >>> Hi, >>> >>> is possible to configure a stand-alone samba server with >>> authentification versus a readonly ldap (proxy) using 'passdb >>> backend = ldapsam', sssd or winbindd, or something else, but not >>> setting-up or joining an AD. Reason for this: ~30% of the computers >>> using that samba-services are private computers, who's owners don't >>> want to join an AD. >>> >>> Thanks in advance! >>> >>> Cheers, >>> Torsten >>> >> >
On Wed, 2022-03-23 at 12:53 -0400, Gaiseric Vandal via samba wrote:> You need to have an account on the LDAP server that samba can use to > read user information including the Windows password field. > Then > you need to configure smb.conf with the server name, the search > path, > the ldap name and password. > > I think what is going to be a problem is that the "NT4" Windows > password > requires a separate password field than the regular LDAP password, > and > keeping the 2 in sync will be a challenge. The client machines > will > be sending a hash of the user password to the server (rather than > "plaintext" password over TLS.) In fact the schema on the LDAP > server may need to be extended.If a new NT4-style machine is being set up, you should be aware that they rely on SMBv1 and this is going away. You could end up within a year or two having to upgrade again or use an older version of Samba. Rowland