[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?

[Sketch]

On Thu, 19 May 2016, Steven Fu wrote:

> So now the questions are:
> 1. Does Samba has a way to support using LDAP/Kerberos without winbind.
> 2. If yes, where I can find a step-by-step guide on how to do it.
>
> (ps: please don't suggest using sssd or realm join, we know those maybe the
> right way to go in the future, but its not for this environment right now.)

I have no experience with nslcd, but just wanted to point out that you can 
use sssd in pure ldap mode without using the ad provider or realmd.  This 
is what I do, and it works just fine.  Potential caveats: my shares are on 
CentOS 6 with Samba 3.6, and don't use windows ACLs, only unix uid/gids.

Samba used to have better and more concise documentation on configuration, 
but unfortunately they appear to have removed it recently, so the fedora 
SSSD wiki directions are probably the best, if you choose to go that 
route:

https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

A couple of notes which may possibly help you with nslcd...

You need to run "net ads join" to join the domain if you want functioning 
kerberos, as this is what causes the DC to create the required principals 
on the server side.  You don't need winbind for the join.

You need to set "kerberos method = system keytab" in your smb.conf 
_before_ you run "net ads join" (there's no harm in re-joining if you've 
already done it), or you won't have a working system keytab on the client 
(running the smbd server) which can be used by other services like ssh. 
I'm not sure if this is really necessary if you only want kerbros working 
in Samba.

sssd also handles things like automated kerberos ticket renewals.  I am 
not sure if nslcd does, you may possibly have issues with clients that 
stay connected for long periods of time if it doesn't.