[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Daniel Lakeland dlakelan at street-artists.org
Thu Apr 13 20:08:34 UTC 2023

On 4/13/23 12:50, Zombie Ryushu via samba wrote:

> Not as an ADS Server, I think you can still do that Weird 
> OpenLDAP/Kerberos enhanced Samba Classic NT Domain mode, but what you 
> will create is not something Modern Windows can login too. But you 
> have to set Samba to be an NT4 PDC with OpenLDAP backend and Kerberos 
> Frontend. I think the last Windows OS to support this is Windows 7.

Note that Windows 10 machines were perfectly fine with doing all of this 
a week ago until the version of Samba changed.

Also note that in this usage these devices are individual people's 
personal laptops and a mixture of Windows Home/Pro and MacOS versions 
from 5 years ago or more to now. Some of these people volunteer in the 
lab for 4 months, others are students for 6 years. Neither the users nor 
I want them to join their personal laptops to a domain they have no 
control nor trust over. They want local logins on their machines and to 
get a ticket and connect to the SMB server. The LDAP users with kerberos 
tickets should not be able to log into the individual client machines. 
There is in essence "one way authorization" the client with a kerberos 
ticket is authorized to access the SMB server. There is no reciprocity 
to the client. This is 100% intentional and by design.

What settings would be required to make this work?

More information about the samba mailing list