[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Daniel Lakeland dlakelan at street-artists.org
Thu Apr 13 19:28:04 UTC 2023

I have a server that runs stand-alone with an LDAP directory and a KDC . 
The linux machines have sssd to allow unified users etc. The clients are 
mostly MacOS and Windows machines that aren't part of an AD.

This config has worked for 15 years, but after upgrading Debian and 
bringing in Samba Version 4.17.7-Debian it seems to be broken.

I believe this is related to: 

And other related discussions from earlier here: 

It seems like some significant work has gone into security for samba and 
that it's affected this kind of usage.

My question is, what settings should I try or would be expected to work 
for a Samba server that is connected to an MIT Krb5 Realm and has users 
in an LDAP directory and does not have any kind of Active Directory 
anything? Especially settings for the following:

Right now I have:

    workgroup = SOMEREALM.REALM

log level = 3

#security = user #this doesn't work either
security = ads
kerberos method = system keytab

server signing = mandatory
client signing = mandatory
smb encrypt = mandatory

server min protocol = SMB2

strict locking = no
dns proxy = no


server role = standalone server

idmap config * : backend = nss
idmap config * : range = 1000-70000
idmap config * : read only = yes

More information about the samba mailing list