[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Kees van Vloten
keesvanvloten at gmail.com
Fri Apr 14 09:03:55 UTC 2023
Op 14-04-2023 om 00:55 schreef Daniel Lakeland via samba:
> Ok after installing libpam-winbind etc I had someone try to connect
> from a MacOS and they got:
>
>
> [2023/04/13 15:50:50.002773, 1]
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
> auth3_generate_session_info_pac: Unexpected PAC for
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891, 3]
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_BAD_TOKEN_TYPE] || at
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944, 3]
> ../../source3/smbd/server_exit.c:229(exit_server_common)
> Server exit (NT_STATUS_END_OF_FILE)
>
> So it looks like her mac tried to use her Kerberos identity but the
> Samba daemon didn't like that because "in standalone mode"
>
> the samba settings during this test were:
>
>
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
>
> server role = standalone server
>
>
You could try what Rowland suggests: setup AD and add the users in it.
There is no (strict) need to join the client machines, the AD-DC
provides a KDC and a LDAP server. You can still use kinit on the clients
to authenticate and get a ticket.
With an AD-DC and a fileserver (joined to the domain) (on separate
machines) your scenario will work pretty much as it always did but with
a recent Samba version.
Do you see any obstacles, Rowland?
- Kees.
More information about the samba
mailing list