On Wed, 2023-05-10 at 17:20 +0100, Rowland Penny via samba wrote:> The problem with ldaps is that it doesn't really work on Samba AD > and > > Kerberos is more secure.I would not be so sweeping in that statement. ldaps:// connections, being LDAP over TLS and LDAP + StartTLS are supported well in Samba, but the administrator should replace our self-signed certificate with a real one. It will work fine for a simple bind, and many, many sites deploy this for 'ldap authentication' of web applications etc, but you should not mix LDAPS and Kerberos, because the encryption layers are not connected. I would not however try to mimic a domain joined client and linux login etc with this (as one might have long ago with an OpenLDAP server), just join with Samba or sssd where it all 'just works'. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
On 11/05/2023 06:51, Andrew Bartlett wrote:> On Wed, 2023-05-10 at 17:20 +0100, Rowland Penny via samba wrote: >> The problem with ldaps is that it doesn't really work on Samba AD >> and >> >> Kerberos is more secure. > > I would not be so sweeping in that statement.Oh, but you would, I have only repeated what you have said previously. ldaps:// connections,> being LDAP over TLS and LDAP + StartTLS are supported well in Samba, > but the administrator should replace our self-signed certificate with a > real one. > > It will work fine for a simple bind, and many, many sites deploy this > for 'ldap authentication' of web applications etc, but you should not > mix LDAPS and Kerberos, because the encryption layers are not > connected. > > I would not however try to mimic a domain joined client and linux login > etc with this (as one might have long ago with an OpenLDAP server), > just join with Samba or sssd where it all 'just works'.The problem is, the OP doesn't want to join the domain with all their computers. Now you and I know that, to get the best results, it is better to join a domain, somehow we have to convince people of this. Rowland