[Samba] LDAP + Keytab without requiring administrator logins

Christian Kuntz c.kuntz at opendrives.com
Wed Feb 3 00:44:29 UTC 2021 

Apologies for the duplicated email, replying back to the mailing list as
well:

Thanks for the response!

> As far as I am aware, only Administrator can join computers.

So if I'm understanding correctly, in order to utilize the LDAP server I
need to initialize the secrets.tdb with Administrator credentials?

> Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0

I don't know if I've explained appropriately here, but sssd is providing
authentication and winbind is running allowing AD/LDAP users to mount
shares. We've found this method to work well for AD and LDAP, but are
having trouble with this particular challenge of allowing LDAP users to
mount shares without requiring the samba server to have LDAP admin
credentials, using only a fully provisioned and valid keytab.

> Why are you setting it to ldapsam ?

We want users to be resolved over LDAP, I'm under the impression from
reading the documentation and testing that this setting is required to
allow ldap users to mount shares.


>From the documentation, the kerberos method setting seems to imply that the
secrets.tdb does not need to be initialized
<https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD>
and
only a valid keytab (which we have) is required. No matter the setting, it
will complain that it cannot find the LDAP credentials in secrets.tdb, even
when it is configured not to use it.

Christian

On Tue, Feb 2, 2021 at 2:17 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 02/02/2021 09:46, Christian Kuntz via samba wrote:
> > Hi all!
> >
> > I'm currently running Debian Buster with samba version
> 4.9.5+dfsg-5+deb10u1
> > and trying to configure my setup to require only a keytab file and no
> > administrator login information to accommodate for automated smb
> > provisioning.
>
>
> As far as I am aware, only Administrator can join computers.
>
>
> >
> >
> >
> > I've confirmed with kerberos and sssd
>
>
> Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0
>
> >   that I have a connection to the
> > server and can acquire the tgt, but ultimately starting the service
> always
> > fails with this message so long as I set the passdb to ldapsam.
>
>
> Why are you setting it to ldapsam ?
>
>
> >
> > Is this something that's supported by samba and I'm missing or have bad
> > configs, or is this just not something that's supported? You can find
> > testparm/config information below.
> >
>
> The use of sssd with Samba >= 4.8.0 isn't supported, you must use
> winbind if you want shares, if you only required authentication, use
> sssd by itself.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list