[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Daniel Lakeland
dlakelan at street-artists.org
Thu Apr 13 19:28:04 UTC 2023
I have a server that runs stand-alone with an LDAP directory and a KDC .
The linux machines have sssd to allow unified users etc. The clients are
mostly MacOS and Windows machines that aren't part of an AD.
This config has worked for 15 years, but after upgrading Debian and
bringing in Samba Version 4.17.7-Debian it seems to be broken.
I believe this is related to:
https://lists.samba.org/archive/samba/2021-November/238720.html
And other related discussions from earlier here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001053
It seems like some significant work has gone into security for samba and
that it's affected this kind of usage.
My question is, what settings should I try or would be expected to work
for a Samba server that is connected to an MIT Krb5 Realm and has users
in an LDAP directory and does not have any kind of Active Directory
anything? Especially settings for the following:
Right now I have:
workgroup = SOMEREALM.REALM
log level = 3
#security = user #this doesn't work either
security = ads
realm = SOMEREALM.REALM
kerberos method = system keytab
server signing = mandatory
client signing = mandatory
smb encrypt = mandatory
server min protocol = SMB2
strict locking = no
dns proxy = no
...
server role = standalone server
idmap config * : backend = nss
idmap config * : range = 1000-70000
idmap config * : read only = yes
More information about the samba
mailing list