[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Rowland Penny rpenny at samba.org
Thu Apr 13 21:15:36 UTC 2023 


On 13/04/2023 21:37, Daniel Lakeland via samba wrote:
> On 4/13/23 13:19, Rowland Penny via samba wrote:
>>
>>
>>
>>
>> What version of Debian were you running ?
>> What version of Samba were you running ?
>>
>> This could be just something as simple as you were running a version 
>> of Samba <= 4.8.0 and need to install and run winbind.
>>
>> Rowland
>>
>>
> It would have been probably Debian Testing circa 2019 or something, 
> let's say it was samba less than 4.8.0.
> 
> I now have winbind installed via apt.
> 
> If I do
> 
> security = ads
> 
> It fails to start and says:
> 
> [2023/04/13 13:32:37.039004,  0] 
> ../../source3/winbindd/winbindd_util.c:1235(init_domain_list)
>    Could not fetch our SID - did we join?

Exactly what it says, it expects the computer to be joined to a domain.

> 
> if I do
> 
> security = user
> 
> It starts and says:
> 
> [2023/04/13 13:34:06.986150,  3] 
> ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain)
>    add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32]
> [2023/04/13 13:34:06.986190,  3] 
> ../../source3/winbindd/winbindd_util.c:291(add_trusted_domain)
>    add_trusted_domain: Added domain [CHIMERA] [(null)] 
> [S-1-5-21-2096409422-4100730907-3425993654]
> [2023/04/13 13:34:06.986522,  3] 
> ../../librpc/rpc/dcesrv_core.c:2619(dcerpc_register_ep_server)
>    DCERPC endpoint server 'winbind' registered
> [2023/04/13 13:34:06.991408,  2] 
> ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
>    Registered MSG_REQ_POOL_USAGE
> 
> Where chimera is the hostname of the server.

It is attempting to connect to the Samba running on the computer.

> 
> security = user is the config that used to work before the upgrade.

The Samba daemon smbd before 4.8.0 could connect to AD (or in this case 
a kerberos kdc) directly, but from 4.8.0 it has to go via winbind and 
has to be joined to the domain/kerberos realm.

You appear to be running a workgroup, but in the manner of a domain, 
perhaps you should run it as a workgroup, you will then find out why AD 
domains replaced them.

Rowland

More information about the samba mailing list