[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Rowland Penny rpenny at samba.org
Thu Apr 13 22:17:39 UTC 2023

On 13/04/2023 22:42, Daniel Lakeland via samba wrote:
> On 4/13/23 14:15, Rowland Penny via samba wrote:
>>> security = user is the config that used to work before the upgrade.
>> The Samba daemon smbd before 4.8.0 could connect to AD (or in this 
>> case a kerberos kdc) directly, but from 4.8.0 it has to go via winbind 
>> and has to be joined to the domain/kerberos realm.
>> You appear to be running a workgroup, but in the manner of a domain, 
>> perhaps you should run it as a workgroup, you will then find out why 
>> AD domains replaced them. 
> I'd like to reiterate, literally none of these people, many of whom are 
> volunteers, want to join their personal laptops to an overarching AD 
> domain. They don't want everyone who has ever volunteered in this lab 
> for 3 weeks to have a login on their home laptop. No-one wants to be a 
> part of an AD domain and it would be a HUGE security failure to do so. 
> Imagine if as a student to work for a few months in a lab you had to 
> make 100 copies of your front door key, and they would be handed out to 
> anyone who had ever worked in this lab in the past 15 years? Same idea.
> What they want, is to get a ticket from a KDC and use it to prove 
> they're authorized to connect to an SMB server. They have kerberos set 
> up and can get the tickets.
> This worked 100% fine for 15 years. Now it doesn't. I'm fine with 
> altering my configuration as needed to make it work now. What should I 
> do? It's a huge regression if this fails to work anymore.
> Does anyone have an idea?

This is a very unusual way of doing things and has been superseded by 
AD, but I wonder if it can be made to work ? Perhaps it is just an 
authentication problem, Your users will need to exist in a kerberos 
database and the computer will have to know where to find them. Do you 
have libnss-windbind libpam-winbind and libpam-krb5 installed ?

After that, I am lost, as I said, you are running a workgroup as a 
domain, without actually being a domain.

One problem is that you are running ldap, this usually means lots of 
users and the best to deal with lots of users is a domain.


More information about the samba mailing list