[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Rowland Penny rpenny at samba.org
Fri Apr 14 16:16:29 UTC 2023

On 14/04/2023 17:02, Daniel Lakeland via samba wrote:
> On 4/14/23 02:47, Christian Naumer via samba wrote:
>> We are only talking about joining your server to your REALM not the 
>> clients.
>> It is possible to do this. See this example for FreeIPA:
>> https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html#domain-member-configuration-overview
>> But as you can see it is more complicated that just joining a Windows 
>> domain.
>> I think you should be able to do this with pam_krb and the nss IDMAP 
>> backend. But you will have to setup the keytab of your server etc.
> Can you suggest how? Remember, the server is a member of the Kerberos 
> realm already (and has been for 15 years), everyone can ssh into it 
> using kerberos keys, you can NFS4 to it with Kerberos keys, and it has 
> LDAP through 389-ds so that the users are unified across all the Linux 
> machines. It runs sssd and sssd provides pam_sss which uses Kerberos. 
> Kerberos and a keytab and all of that works fine. Also, Samba worked 
> fine since 2008 when this was all set up and has been maintained 
> continuously, until the upgrade. Now we can't figure out if there is any 
> way for us to tell Samba to "don't worry about the AD extensions to LDAP 
> and Kerberos, with SIDs and etc, just check the Kerberos ticket and let 
> the user access the files if the user is an authentic unix user"
> Any help would be appreciated. I'm beginning to suspect this 
> functionality was lost.
> What it comes down to is, what combination of Samba smb.conf settings 
> should I try?

This intrigued me, so I went and tried this and you need three computers:

A samba AD DC (perhaps a computer just running a KDC, but I didn't try this)
A Samba Unix domain member running as a fileserver
A Samba Standalone server as the client

You can get a kerberos ticket on the client and then use this to connect 
to a share on the fileserver, which is as far as I went, it worked.

A very lot of work for very little return and I cannot be sure how 
fragile it will be.


More information about the samba mailing list