[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Rowland Penny rpenny at samba.org
Thu Apr 13 20:19:13 UTC 2023

On 13/04/2023 21:08, Daniel Lakeland via samba wrote:
> On 4/13/23 12:50, Zombie Ryushu via samba wrote:
>> Not as an ADS Server, I think you can still do that Weird 
>> OpenLDAP/Kerberos enhanced Samba Classic NT Domain mode, but what you 
>> will create is not something Modern Windows can login too. But you 
>> have to set Samba to be an NT4 PDC with OpenLDAP backend and Kerberos 
>> Frontend. I think the last Windows OS to support this is Windows 7.
> Note that Windows 10 machines were perfectly fine with doing all of this 
> a week ago until the version of Samba changed.
> Also note that in this usage these devices are individual people's 
> personal laptops and a mixture of Windows Home/Pro and MacOS versions 
> from 5 years ago or more to now. Some of these people volunteer in the 
> lab for 4 months, others are students for 6 years. Neither the users nor 
> I want them to join their personal laptops to a domain they have no 
> control nor trust over. They want local logins on their machines and to 
> get a ticket and connect to the SMB server. The LDAP users with kerberos 
> tickets should not be able to log into the individual client machines. 
> There is in essence "one way authorization" the client with a kerberos 
> ticket is authorized to access the SMB server. There is no reciprocity 
> to the client. This is 100% intentional and by design.
> What settings would be required to make this work?

What version of Debian were you running ?
What version of Samba were you running ?

This could be just something as simple as you were running a version of 
Samba <= 4.8.0 and need to install and run winbind.


More information about the samba mailing list