Daniel Lakeland
2023-Apr-13 20:37 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 13:19, Rowland Penny via samba wrote:> > > > > What version of Debian were you running ? > What version of Samba were you running ? > > This could be just something as simple as you were running a version > of Samba <= 4.8.0 and need to install and run winbind. > > Rowland > >It would have been probably Debian Testing circa 2019 or something, let's say it was samba less than 4.8.0. I now have winbind installed via apt. If I do security = ads It fails to start and says: [2023/04/13 13:32:37.039004,? 0] ../../source3/winbindd/winbindd_util.c:1235(init_domain_list) ? Could not fetch our SID - did we join? if I do security = user It starts and says: [2023/04/13 13:34:06.986150,? 3] ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain) ? add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32] [2023/04/13 13:34:06.986190,? 3] ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain) ? add_trusted_domain: Added domain [CHIMERA] [(null)] [S-1-5-21-2096409422-4100730907-3425993654] [2023/04/13 13:34:06.986522,? 3] ../../librpc/rpc/dcesrv_core.c:2619(dcerpc_register_ep_server) ? DCERPC endpoint server 'winbind' registered [2023/04/13 13:34:06.991408,? 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) ? Registered MSG_REQ_POOL_USAGE Where chimera is the hostname of the server. security = user is the config that used to work before the upgrade.
Rowland Penny
2023-Apr-13 21:15 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 13/04/2023 21:37, Daniel Lakeland via samba wrote:> On 4/13/23 13:19, Rowland Penny via samba wrote: >> >> >> >> >> What version of Debian were you running ? >> What version of Samba were you running ? >> >> This could be just something as simple as you were running a version >> of Samba <= 4.8.0 and need to install and run winbind. >> >> Rowland >> >> > It would have been probably Debian Testing circa 2019 or something, > let's say it was samba less than 4.8.0. > > I now have winbind installed via apt. > > If I do > > security = ads > > It fails to start and says: > > [2023/04/13 13:32:37.039004,? 0] > ../../source3/winbindd/winbindd_util.c:1235(init_domain_list) > ? Could not fetch our SID - did we join?Exactly what it says, it expects the computer to be joined to a domain.> > if I do > > security = user > > It starts and says: > > [2023/04/13 13:34:06.986150,? 3] > ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain) > ? add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32] > [2023/04/13 13:34:06.986190,? 3] > ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain) > ? add_trusted_domain: Added domain [CHIMERA] [(null)] > [S-1-5-21-2096409422-4100730907-3425993654] > [2023/04/13 13:34:06.986522,? 3] > ../../librpc/rpc/dcesrv_core.c:2619(dcerpc_register_ep_server) > ? DCERPC endpoint server 'winbind' registered > [2023/04/13 13:34:06.991408,? 2] > ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage) > ? Registered MSG_REQ_POOL_USAGE > > Where chimera is the hostname of the server.It is attempting to connect to the Samba running on the computer.> > security = user is the config that used to work before the upgrade.The Samba daemon smbd before 4.8.0 could connect to AD (or in this case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind and has to be joined to the domain/kerberos realm. You appear to be running a workgroup, but in the manner of a domain, perhaps you should run it as a workgroup, you will then find out why AD domains replaced them. Rowland