[Samba] stand-alone server with ldap-auth without AD

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Mar 23 16:53:34 UTC 2022


You need to have an account on the LDAP server that samba can use to 
read user information including the Windows password field.      Then 
you need to configure smb.conf with the server name, the search path, 
the ldap name and password.

I think what is going to be a problem is that the "NT4" Windows password 
requires a separate password field than the regular LDAP password, and 
keeping the 2 in sync will be a challenge.     The client machines will 
be sending a hash of the user password to the server (rather than 
"plaintext" password over TLS.)      In fact the schema on the LDAP 
server may need to be extended.





On 3/23/22 10:18, lists--- via samba wrote:
> Am 23.03.2022 um 13:07 schrieb Gaiseric Vandal via samba:> Can you 
> provide a little more information?
> Sure - sorry!
>
> System itself: Debian Bullseye
> ldap:~# smbd -V
> Version 4.13.13-Debian
> ldap:~#
>> You want to setup a Samba server.     Some of the clients have 
>> machines that they don't want to join to the domain but they still 
>> want to access resources on your server? Presumably these are file 
>> shares ?
> Yes, they are and that's the idea ...
>> It seems to me that regardless of whether your server is joined to a 
>> domain, or is standalone, or has to access some other authentication 
>> server,    that the client users still need accounts to connect to 
>> your server.
>
> We are a Chair at a german university, and have a read-only access to 
> the universities central LDAP - not to every object, but to all which 
> belong to our chair. There are accounts for each member of the 
> university, employees, students, scientists, scientific guests, etc., 
> and they are managed centrally.
> All of 'our users' should have access to network-shares, provided by 
> samba.
> As most of the students use their own (private) laptop, they don't 
> want to join the system to any AD ...
>
>> In the past I have setup Samba as "NT4" style domain controllers with 
>> an LDAP backend.      This then adds the overhead of managing an LDAP 
>> server.
> If that is suitable enough for such an enviroment, I'd be fine with it.
>
> But, to be honest, I have no idea how to configure samba to handle the 
> user-auth versus ldap - I always get error messages like this when 
> trying to access a share, and type-in an username and password:
> [2022/03/23 14:54:06.343084,  0] 
> ../../source3/auth/auth_winbind.c:120(check_winbind_security)
>   check_winbind_security: winbindd not running - but required as 
> domain member: NT_STATUS_NO_LOGON_SERVERS
>
> nmbd gives an error:
> Mar 23 15:08:27 ldap systemd[1]: Started Samba NMB Daemon.
> Mar 23 15:08:27 ldap nmbd[916]:   daemon_ready: daemon 'nmbd' finished 
> starting up and ready to serve connections
> Mar 23 15:08:27 ldap nmbd[916]: [2022/03/23 15:08:27.633290,  0] 
> ../../source3/nmbd/nmbd_namequery.c:109(query_name_response)
> Mar 23 15:08:27 ldap nmbd[916]:   query_name_response: Multiple (2) 
> responses received for a query on subnet 10.147.166.5 for name AFP<1d>.
> Mar 23 15:08:27 ldap nmbd[916]:   This response was from IP 
> 10.147.166.2, reporting an IP address of 10.147.166.2.
> (10.147.166.2 is just another stand-alone-system on the net)
>
> While smbd seems to start fine:
> Mar 23 15:08:23 ldap systemd[1]: Started Samba SMB Daemon.
> Mar 23 15:08:24 ldap smbd[909]: [2022/03/23 15:08:24.001867,  0] 
> ../../lib/util/become_daemon.c:135(daemon_ready)
> Mar 23 15:08:24 ldap smbd[909]:   daemon_ready: daemon 'smbd' finished 
> starting up and ready to serve connections
>
> So, I guess I either misunderstood something, or mixed something in 
> smb.conf
>
> Here it is:
> [global]
> workgroup = AFP
> server string = %h
> security = user
> domain master = No
> dns proxy = no
> syslog only = no
> syslog = 5
> log file = /var/log/samba/log.%m
> max log size = 1000
> encrypt passwords = true
> wins server = 10.147.166.2
> ldap ssl = no
> idmap config DOMAIN : backend = sss
> idmap config DOMAIN : range = 10000-20000
> winbind refresh tickets = yes
> winbind use default domain = yes
> winbind offline logon = false
> winbind enum users = yes
> winbind enum groups = yes
> obey pam restrictions = no
> guest account = nobody
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> #printing = cups
> #printcap name = cups
> interfaces = 10.147.166.5/255.255.255.128 127.0.0.1/255.0.0.0
> admin users = USERID
> unix charset = UTF-8
> dos charset = cp1252
> time server = Yes
> #logon path =
> #logon home = \\%L\%u
> use sendfile = No
> os level = 25
> wide links = No
> unix extensions = yes
> map archive = No
> delete readonly = Yes
> case sensitive = auto
> mangled names = no
> unix password sync = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> [public]
> path = /srv/public
> read only = yes
> guest ok = yes
>
>> On 3/23/2022 7:25 AM, lists--- via samba wrote:
>>> Hi,
>>>
>>> is possible to configure a stand-alone samba server with 
>>> authentification versus a readonly ldap (proxy) using 'passdb 
>>> backend = ldapsam', sssd or winbindd, or something else, but not 
>>> setting-up or joining an AD. Reason for this: ~30% of the computers 
>>> using that samba-services are private computers, who's owners don't 
>>> want to join an AD.
>>>
>>> Thanks in advance!
>>>
>>> Cheers,
>>> Torsten
>>>
>>
>




More information about the samba mailing list