[Samba] LDAP + Keytab without requiring administrator logins

Christian Kuntz c.kuntz at opendrives.com
Wed Feb 3 18:57:41 UTC 2021 

Thanks for your responses and all the information.

>From what I'm reading, I should replace what I'm doing with sssd with
winbind. Thanks for the clarification and I'll get started on that!

To return to my original question; is it possible to initialize the
secrets.tdb (I believe it stores the keytab required to join the domain by
what we have discussed) in a way that allows the machine to join an LDAP
domain without providing it with full credentials (User/Pass)?

Best,
Christian

On Wed, Feb 3, 2021 at 1:56 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 03/02/2021 00:44, Christian Kuntz wrote:
> > Apologies for the duplicated email, replying back to the mailing list
> > as well:
> >
> > Thanks for the response!
> >
> > > As far as I am aware, only Administrator can join computers.
> >
> > So if I'm understanding correctly, in order to utilize the LDAP server
> > I need to initialize the secrets.tdb with Administrator credentials?
>
>
>  From my testing, yes. If you want to automate joining Samba to a
> domain, you need a keytab containing Administrators keys.
>
> >
> > > Ah, there is a problem, you cannot use sssd with Samba >= 4.8.0
> >
> > I don't know if I've explained appropriately here, but sssd is
> > providing authentication and winbind is running allowing AD/LDAP users
> > to mount shares. We've found this method to work well for AD and LDAP,
> > but are having trouble with this particular challenge of allowing LDAP
> > users to mount shares without requiring the samba server to have LDAP
> > admin credentials, using only a fully provisioned and valid keytab.
>
>
> You don't understand, if you want to run Samba as a Unix domain member
> you cannot run sssd, they both have their own versions of the Samba
> winbind libs. Having to run winbind started from Samba 4.8.0, from that
> version, no one (including red-hat) supports the use use of sssd with
> Samba. You can use sssd without Samba for authentication, you just
> cannot use sssd with Samba.
>
> >
> > > Why are you setting it to ldapsam ?
> >
> > We want users to be resolved over LDAP, I'm under the impression from
> > reading the documentation and testing that this setting is required to
> > allow ldap users to mount shares.
>
>
> I do not know where you are getting that idea from, perhaps you could
> provide links to the documentation you have read.
>
> >
> >
> > From the documentation, the kerberos method setting seems to imply
> > that the secrets.tdb does not need to be initialized
> > <
> https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#KERBEROSMETHOD> and
>
> > only a valid keytab (which we have) is required. No matter the
> > setting, it will complain that it cannot find the LDAP credentials in
> > secrets.tdb, even when it is configured not to use it.
>
>
> Your problem is that you are confusing the keytab that Samba will use
> after the join, with the keytab that is required to join the computer to
> the domain.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list