On 11/05/2023 06:51, Andrew Bartlett wrote:> On Wed, 2023-05-10 at 17:20 +0100, Rowland Penny via samba wrote: >> The problem with ldaps is that it doesn't really work on Samba AD >> and >> >> Kerberos is more secure. > > I would not be so sweeping in that statement.Oh, but you would, I have only repeated what you have said previously. ldaps:// connections,> being LDAP over TLS and LDAP + StartTLS are supported well in Samba, > but the administrator should replace our self-signed certificate with a > real one. > > It will work fine for a simple bind, and many, many sites deploy this > for 'ldap authentication' of web applications etc, but you should not > mix LDAPS and Kerberos, because the encryption layers are not > connected. > > I would not however try to mimic a domain joined client and linux login > etc with this (as one might have long ago with an OpenLDAP server), > just join with Samba or sssd where it all 'just works'.The problem is, the OP doesn't want to join the domain with all their computers. Now you and I know that, to get the best results, it is better to join a domain, somehow we have to convince people of this. Rowland
> The problem is, the OP doesn't want to join the domain with all their > computers. Now you and I know that, to get the best results, it is > better to join a domain, somehow we have to convince people of this.I am convinced but do not understand everything yet:) If I understand this correct, I join the domain with all our client access machines and our servers. I limit the direct authentication to our servers via group policies. Now I have as example a guacamole instance running on one of our servers. Only the domain-administrator and the server-auth-group has login access. For the guacamole service I want that my users can connect to guacamole via ldap (or in this case via ldaps?). For my test scenario I would use my self signed certificates but later in a real scenario we have access to real ones. So with this example it sounds like the easiest and best approach with kinit and not ldaps. Am I right? Matti Kaupenjohann Fachhochschule Dortmund University of Applied Sciences and Arts *Kaupenjohann, Matti* FB Informationstechnik, Sonnenstra?e 96 - 44139 Dortmund Raum SON-A A615 Tel???? 0231 9112 9371 matti.kaupenjohann at fh-dortmund.de www.fh-dortmund.de Think before you print!