Rowland Penny
2023-Apr-13 20:19 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 13/04/2023 21:08, Daniel Lakeland via samba wrote:> On 4/13/23 12:50, Zombie Ryushu via samba wrote: > >>> >>> >> Not as an ADS Server, I think you can still do that Weird >> OpenLDAP/Kerberos enhanced Samba Classic NT Domain mode, but what you >> will create is not something Modern Windows can login too. But you >> have to set Samba to be an NT4 PDC with OpenLDAP backend and Kerberos >> Frontend. I think the last Windows OS to support this is Windows 7. >> > > Note that Windows 10 machines were perfectly fine with doing all of this > a week ago until the version of Samba changed. > > Also note that in this usage these devices are individual people's > personal laptops and a mixture of Windows Home/Pro and MacOS versions > from 5 years ago or more to now. Some of these people volunteer in the > lab for 4 months, others are students for 6 years. Neither the users nor > I want them to join their personal laptops to a domain they have no > control nor trust over. They want local logins on their machines and to > get a ticket and connect to the SMB server. The LDAP users with kerberos > tickets should not be able to log into the individual client machines. > There is in essence "one way authorization" the client with a kerberos > ticket is authorized to access the SMB server. There is no reciprocity > to the client. This is 100% intentional and by design. > > What settings would be required to make this work?What version of Debian were you running ? What version of Samba were you running ? This could be just something as simple as you were running a version of Samba <= 4.8.0 and need to install and run winbind. Rowland
Daniel Lakeland
2023-Apr-13 20:37 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 13:19, Rowland Penny via samba wrote:> > > > > What version of Debian were you running ? > What version of Samba were you running ? > > This could be just something as simple as you were running a version > of Samba <= 4.8.0 and need to install and run winbind. > > Rowland > >It would have been probably Debian Testing circa 2019 or something, let's say it was samba less than 4.8.0. I now have winbind installed via apt. If I do security = ads It fails to start and says: [2023/04/13 13:32:37.039004,? 0] ../../source3/winbindd/winbindd_util.c:1235(init_domain_list) ? Could not fetch our SID - did we join? if I do security = user It starts and says: [2023/04/13 13:34:06.986150,? 3] ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain) ? add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32] [2023/04/13 13:34:06.986190,? 3] ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain) ? add_trusted_domain: Added domain [CHIMERA] [(null)] [S-1-5-21-2096409422-4100730907-3425993654] [2023/04/13 13:34:06.986522,? 3] ../../librpc/rpc/dcesrv_core.c:2619(dcerpc_register_ep_server) ? DCERPC endpoint server 'winbind' registered [2023/04/13 13:34:06.991408,? 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) ? Registered MSG_REQ_POOL_USAGE Where chimera is the hostname of the server. security = user is the config that used to work before the upgrade.