[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Daniel Lakeland
dlakelan at street-artists.org
Fri Apr 14 16:02:04 UTC 2023
On 4/14/23 02:47, Christian Naumer via samba wrote:
> We are only talking about joining your server to your REALM not the
> clients.
>
> It is possible to do this. See this example for FreeIPA:
>
> https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview
>
>
> But as you can see it is more complicated that just joining a Windows
> domain.
>
> I think you should be able to do this with pam_krb and the nss IDMAP
> backend. But you will have to setup the keytab of your server etc.
Can you suggest how? Remember, the server is a member of the Kerberos
realm already (and has been for 15 years), everyone can ssh into it
using kerberos keys, you can NFS4 to it with Kerberos keys, and it has
LDAP through 389-ds so that the users are unified across all the Linux
machines. It runs sssd and sssd provides pam_sss which uses Kerberos.
Kerberos and a keytab and all of that works fine. Also, Samba worked
fine since 2008 when this was all set up and has been maintained
continuously, until the upgrade. Now we can't figure out if there is any
way for us to tell Samba to "don't worry about the AD extensions to LDAP
and Kerberos, with SIDs and etc, just check the Kerberos ticket and let
the user access the files if the user is an authentic unix user"
Any help would be appreciated. I'm beginning to suspect this
functionality was lost.
What it comes down to is, what combination of Samba smb.conf settings
should I try?
More information about the samba
mailing list