[Samba] LDAP + Keytab without requiring administrator logins

Andrew Bartlett abartlet at samba.org
Wed Feb 3 01:35:30 UTC 2021

On Tue, 2021-02-02 at 16:44 -0800, Christian Kuntz via samba wrote:
> > Why are you setting it to ldapsam ?
> We want users to be resolved over LDAP, I'm under the impression from
> reading the documentation and testing that this setting is required
> to
> allow ldap users to mount shares.

I would warn you that you are in a very niche use case.  I take it that
you are setting up a standalone file server in a not-AD domain that
accepts kerberos credentials issued by a 'MIT' (or Heimdal) KDC for
Unix clients.

In that case, if you have no NTLM clients then perhaps you don't need
ldapsam, and want to instead just directly map onto the nsswitch-
provided users.  Note that many other things (like group mapping) also
won't work.

If any of this is not true, and you are using AD DC, then please join
the AD domain as per the typical instructions.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

More information about the samba mailing list