[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Daniel Lakeland dlakelan at street-artists.org
Thu Apr 13 21:42:37 UTC 2023

On 4/13/23 14:15, Rowland Penny via samba wrote:
>> security = user is the config that used to work before the upgrade.
> The Samba daemon smbd before 4.8.0 could connect to AD (or in this 
> case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind 
> and has to be joined to the domain/kerberos realm.
> You appear to be running a workgroup, but in the manner of a domain, 
> perhaps you should run it as a workgroup, you will then find out why 
> AD domains replaced them. 

I'd like to reiterate, literally none of these people, many of whom are 
volunteers, want to join their personal laptops to an overarching AD 
domain. They don't want everyone who has ever volunteered in this lab 
for 3 weeks to have a login on their home laptop. No-one wants to be a 
part of an AD domain and it would be a HUGE security failure to do so. 
Imagine if as a student to work for a few months in a lab you had to 
make 100 copies of your front door key, and they would be handed out to 
anyone who had ever worked in this lab in the past 15 years? Same idea.

What they want, is to get a ticket from a KDC and use it to prove 
they're authorized to connect to an SMB server. They have kerberos set 
up and can get the tickets.

This worked 100% fine for 15 years. Now it doesn't. I'm fine with 
altering my configuration as needed to make it work now. What should I 
do? It's a huge regression if this fails to work anymore.

Does anyone have an idea?

More information about the samba mailing list