[Samba] LDAP + Keytab without requiring administrator logins

Christian Kuntz c.kuntz at opendrives.com
Tue Feb 2 09:46:23 UTC 2021


Hi all!

I'm currently running Debian Buster with samba version 4.9.5+dfsg-5+deb10u1
and trying to configure my setup to require only a keytab file and no
administrator login information to accommodate for automated smb
provisioning.

It appears that without the administrator information in the secrets.tdb
smb will simply fail to start, giving the below in logs:

[2021/02/02 00:30:28.404433,  0]
../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
[2021/02/02 00:30:55.580322,  0]
../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
[2021/02/02 00:37:24.710460,  0]
../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections
[2021/02/02 01:03:36.359209,  0]
../source3/passdb/secrets.c:364(fetch_ldap_pw)
  fetch_ldap_pw: neither ldap secret retrieved!
[2021/02/02 01:03:36.359231,  0]
../source3/passdb/pdb_ldap.c:6544(pdb_init_ldapsam_common)
  pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb
[2021/02/02 01:03:36.359239,  0]
../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
  pdb backend ldapsam:ldap://foo.bar.buzz did not correctly init (error was
NT_STATUS_NO_MEMORY)
[2021/02/02 01:06:21.950341,  0]
../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to
serve connections

I've confirmed with kerberos and sssd that I have a connection to the
server and can acquire the tgt, but ultimately starting the service always
fails with this message so long as I set the passdb to ldapsam.

Is this something that's supported by samba and I'm missing or have bad
configs, or is this just not something that's supported? You can find
testparm/config information below.

Cheers, and thanks for your time,
Christian

Here's my testparm + krb + sssd confs

testparm:
[global]
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
dns proxy = No
kerberos method = dedicated keytab
ldap suffix = dc=bar,dc=buzz
load printers = No
local master = No
log file = /var/log/samba/clients/%m.log
logging = syslog at 0 file
max log size = 100
max stat cache size = 65536
max xmit = 1048676
name resolve order = host wins bcast
netbios name = FOO
ntlm auth = ntlmv1-permitted
passdb backend = ldapsam:ldap://foo.bar.buzz
printcap name = /dev/null
realm = BAR.BUZZ
winbind use default domain = Yes
workgroup = BAR
idmap config bar : ldap_base_dn = dc=bar,dc=buzz
idmap config bar : ldap_url = ldap://foo.bar.buzz
idmap config bar : range = 10000-20000
idmap config bar : schema_mode = rfc2307
idmap config bar : backend = ldap
idmap config * : backend = tdb

krb5.conf sections:
[libdefaults]
dns_lookup_realm = true
kdc_timesynce = 1
ccache_type = 4
forwardable = true
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_kdc = true
default_realm = BAR.BUZZ
[realms]
BAR.BUZZ = {
kdc = foo.bar.buzz
admin_server = foo.bar.buzz
}
[domain_realm]
.bar.buzz = BAR.BUZZ
bar.buzz = BAR.BUZZ


[sssd]
domains = bar.buzz
config_file_version = 2
services = nss, pam
[domain/bar.buzz]
id_provider = ldap
ldap_uri = ldap://foo.bar.buzz
ldap_search_base = dc=bar,dc=buzz
auth_provider = krb5
krb5_server = foo.bar.buzz
krb5_realm = BAR.BUZZ
cache_credentials = True
debug_level = 9
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.pem


More information about the samba mailing list