Daniel Lakeland
2023-Apr-13 21:42 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 4/13/23 14:15, Rowland Penny via samba wrote:> > > >> >> security = user is the config that used to work before the upgrade. > > The Samba daemon smbd before 4.8.0 could connect to AD (or in this > case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind > and has to be joined to the domain/kerberos realm. > > You appear to be running a workgroup, but in the manner of a domain, > perhaps you should run it as a workgroup, you will then find out why > AD domains replaced them.I'd like to reiterate, literally none of these people, many of whom are volunteers, want to join their personal laptops to an overarching AD domain. They don't want everyone who has ever volunteered in this lab for 3 weeks to have a login on their home laptop. No-one wants to be a part of an AD domain and it would be a HUGE security failure to do so. Imagine if as a student to work for a few months in a lab you had to make 100 copies of your front door key, and they would be handed out to anyone who had ever worked in this lab in the past 15 years? Same idea. What they want, is to get a ticket from a KDC and use it to prove they're authorized to connect to an SMB server. They have kerberos set up and can get the tickets. This worked 100% fine for 15 years. Now it doesn't. I'm fine with altering my configuration as needed to make it work now. What should I do? It's a huge regression if this fails to work anymore. Does anyone have an idea?
Rowland Penny
2023-Apr-13 22:17 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 13/04/2023 22:42, Daniel Lakeland via samba wrote:> On 4/13/23 14:15, Rowland Penny via samba wrote: >> >> >> >>> >>> security = user is the config that used to work before the upgrade. >> >> The Samba daemon smbd before 4.8.0 could connect to AD (or in this >> case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind >> and has to be joined to the domain/kerberos realm. >> >> You appear to be running a workgroup, but in the manner of a domain, >> perhaps you should run it as a workgroup, you will then find out why >> AD domains replaced them. > > I'd like to reiterate, literally none of these people, many of whom are > volunteers, want to join their personal laptops to an overarching AD > domain. They don't want everyone who has ever volunteered in this lab > for 3 weeks to have a login on their home laptop. No-one wants to be a > part of an AD domain and it would be a HUGE security failure to do so. > Imagine if as a student to work for a few months in a lab you had to > make 100 copies of your front door key, and they would be handed out to > anyone who had ever worked in this lab in the past 15 years? Same idea. > > What they want, is to get a ticket from a KDC and use it to prove > they're authorized to connect to an SMB server. They have kerberos set > up and can get the tickets. > > This worked 100% fine for 15 years. Now it doesn't. I'm fine with > altering my configuration as needed to make it work now. What should I > do? It's a huge regression if this fails to work anymore. > > Does anyone have an idea? > > >This is a very unusual way of doing things and has been superseded by AD, but I wonder if it can be made to work ? Perhaps it is just an authentication problem, Your users will need to exist in a kerberos database and the computer will have to know where to find them. Do you have libnss-windbind libpam-winbind and libpam-krb5 installed ? After that, I am lost, as I said, you are running a workgroup as a domain, without actually being a domain. One problem is that you are running ldap, this usually means lots of users and the best to deal with lots of users is a domain. Rowland