[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Daniel Lakeland dlakelan at street-artists.org
Fri Apr 14 16:02:04 UTC 2023

On 4/14/23 02:47, Christian Naumer via samba wrote:
> We are only talking about joining your server to your REALM not the 
> clients.
> It is possible to do this. See this example for FreeIPA:
> https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview 
> But as you can see it is more complicated that just joining a Windows 
> domain.
> I think you should be able to do this with pam_krb and the nss IDMAP 
> backend. But you will have to setup the keytab of your server etc.

Can you suggest how? Remember, the server is a member of the Kerberos 
realm already (and has been for 15 years), everyone can ssh into it 
using kerberos keys, you can NFS4 to it with Kerberos keys, and it has 
LDAP through 389-ds so that the users are unified across all the Linux 
machines. It runs sssd and sssd provides pam_sss which uses Kerberos. 
Kerberos and a keytab and all of that works fine. Also, Samba worked 
fine since 2008 when this was all set up and has been maintained 
continuously, until the upgrade. Now we can't figure out if there is any 
way for us to tell Samba to "don't worry about the AD extensions to LDAP 
and Kerberos, with SIDs and etc, just check the Kerberos ticket and let 
the user access the files if the user is an authentic unix user"

Any help would be appreciated. I'm beginning to suspect this 
functionality was lost.

What it comes down to is, what combination of Samba smb.conf settings 
should I try?

More information about the samba mailing list