[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Christian Naumer
christian.naumer at greyfish.net
Fri Apr 14 09:47:38 UTC 2023
We are only talking about joining your server to your REALM not the clients.
It is possible to do this. See this example for FreeIPA:
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview
But as you can see it is more complicated that just joining a Windows
domain.
I think you should be able to do this with pam_krb and the nss IDMAP
backend. But you will have to setup the keytab of your server etc.
Regards
Christian
Am 14.04.23 um 00:55 schrieb Daniel Lakeland via samba:
> Ok after installing libpam-winbind etc I had someone try to connect from
> a MacOS and they got:
>
>
> [2023/04/13 15:50:50.002773, 1]
> ../../source3/auth/auth_generic.c:211(auth3_generate_session_info_pac)
> auth3_generate_session_info_pac: Unexpected PAC for
> [testuser at OURREALM.REALM] in standalone mode - NT_STATUS_BAD_TOKEN_TYPE
> [2023/04/13 15:50:50.002891, 3]
> ../../source3/smbd/smb2_server.c:3961(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_BAD_TOKEN_TYPE] || at
> ../../source3/smbd/smb2_sesssetup.c:147
> [2023/04/13 15:50:59.914944, 3]
> ../../source3/smbd/server_exit.c:229(exit_server_common)
> Server exit (NT_STATUS_END_OF_FILE)
>
> So it looks like her mac tried to use her Kerberos identity but the
> Samba daemon didn't like that because "in standalone mode"
>
> the samba settings during this test were:
>
>
> security = user
> realm = OURREALM.REALM
> kerberos method = system keytab
>
> server role = standalone server
>
>
>
More information about the samba
mailing list