[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Daniel Lakeland
dlakelan at street-artists.org
Thu Apr 13 21:42:37 UTC 2023
On 4/13/23 14:15, Rowland Penny via samba wrote:
>
>
>
>>
>> security = user is the config that used to work before the upgrade.
>
> The Samba daemon smbd before 4.8.0 could connect to AD (or in this
> case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind
> and has to be joined to the domain/kerberos realm.
>
> You appear to be running a workgroup, but in the manner of a domain,
> perhaps you should run it as a workgroup, you will then find out why
> AD domains replaced them.
I'd like to reiterate, literally none of these people, many of whom are
volunteers, want to join their personal laptops to an overarching AD
domain. They don't want everyone who has ever volunteered in this lab
for 3 weeks to have a login on their home laptop. No-one wants to be a
part of an AD domain and it would be a HUGE security failure to do so.
Imagine if as a student to work for a few months in a lab you had to
make 100 copies of your front door key, and they would be handed out to
anyone who had ever worked in this lab in the past 15 years? Same idea.
What they want, is to get a ticket from a KDC and use it to prove
they're authorized to connect to an SMB server. They have kerberos set
up and can get the tickets.
This worked 100% fine for 15 years. Now it doesn't. I'm fine with
altering my configuration as needed to make it work now. What should I
do? It's a huge regression if this fails to work anymore.
Does anyone have an idea?
More information about the samba
mailing list