[Samba] LDAP + Keytab without requiring administrator logins

Rowland penny rpenny at samba.org
Wed Feb 3 09:56:15 UTC 2021

On 03/02/2021 00:44, Christian Kuntz wrote:
> Apologies for the duplicated email, replying back to the mailing list 
> as well:
> Thanks for the response!
> > As far as I am aware, only Administrator can join computers.
> So if I'm understanding correctly, in order to utilize the LDAP server 
> I need to initialize the secrets.tdb with Administrator credentials?

 From my testing, yes. If you want to automate joining Samba to a 
domain, you need a keytab containing Administrators keys.

> > Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0
> I don't know if I've explained appropriately here, but sssd is 
> providing authentication and winbind is running allowing AD/LDAP users 
> to mount shares. We've found this method to work well for AD and LDAP, 
> but are having trouble with this particular challenge of allowing LDAP 
> users to mount shares without requiring the samba server to have LDAP 
> admin credentials, using only a fully provisioned and valid keytab.

You don't understand, if you want to run Samba as a Unix domain member 
you cannot run sssd, they both have their own versions of the Samba 
winbind libs. Having to run winbind started from Samba 4.8.0, from that 
version, no one (including red-hat) supports the use use of sssd with 
Samba. You can use sssd without Samba for authentication, you just 
cannot use sssd with Samba.

> > Why are you setting it to ldapsam ?
> We want users to be resolved over LDAP, I'm under the impression from 
> reading the documentation and testing that this setting is required to 
> allow ldap users to mount shares.

I do not know where you are getting that idea from, perhaps you could 
provide links to the documentation you have read.

> From the documentation, the kerberos method setting seems to imply 
> that the secrets.tdb does not need to be initialized 
> <https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD> and 
> only a valid keytab (which we have) is required. No matter the 
> setting, it will complain that it cannot find the LDAP credentials in 
> secrets.tdb, even when it is configured not to use it.

Your problem is that you are confusing the keytab that Samba will use 
after the join, with the keytab that is required to join the computer to 
the domain.


More information about the samba mailing list