Kees van Vloten
2023-Apr-14 10:02 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Op 14-04-2023 om 11:31 schreef Rowland Penny via samba:> > > On 14/04/2023 10:03, Kees van Vloten via samba wrote: >> >> You could try what Rowland suggests: setup AD and add the users in it. >> >> There is no (strict) need to join the client machines, the AD-DC >> provides a KDC and a LDAP server. You can still use kinit on the >> clients to authenticate and get a ticket. >> >> With an AD-DC and a fileserver (joined to the domain) (on separate >> machines) your scenario will work pretty much as it always did but >> with a recent Samba version. >> >> Do you see any obstacles, Rowland? >> >> - Kees. >> >> > > No, provided they can get a ticket from the KDC, they will get > authentication and they will get a better supported product. > > Rowland >I am confused by the "no", the rest of your sentence confirms exactly what I was trying to say :-) . To summarize: Setup AD-DC and doman-join the fileserver. Let the users login on their machines locally after which they do kinit to authenticate as a user (not as a machine) to the AD. With that they also get access to the file-shares (or any other domain resource). This is all supported by the latest Samba version, so indeed a better supported setup. - Kees.
Rowland Penny
2023-Apr-14 10:17 UTC
[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
On 14/04/2023 11:02, Kees van Vloten via samba wrote:> > Op 14-04-2023 om 11:31 schreef Rowland Penny via samba: >> >> >> On 14/04/2023 10:03, Kees van Vloten via samba wrote: >>> >>> You could try what Rowland suggests: setup AD and add the users in it. >>> >>> There is no (strict) need to join the client machines, the AD-DC >>> provides a KDC and a LDAP server. You can still use kinit on the >>> clients to authenticate and get a ticket. >>> >>> With an AD-DC and a fileserver (joined to the domain) (on separate >>> machines) your scenario will work pretty much as it always did but >>> with a recent Samba version. >>> >>> Do you see any obstacles, Rowland? >>> >>> - Kees. >>> >>> >> >> No, provided they can get a ticket from the KDC, they will get >> authentication and they will get a better supported product. >> >> Rowland >> > I am confused by the "no",You asked 'Do you see any obstacles', to which I said 'no', but I then clarified it by saying provided a ticket can be obtained. Rowland