[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

[Ralph Boehme]

On 4/14/23 19:20, Rowland Penny via samba wrote:
> 
> 
> On 14/04/2023 17:48, Daniel Lakeland via samba wrote:
>> On 4/14/23 09:16, Rowland Penny via samba wrote:
>>>
>>>
>>> This intrigued me, so I went and tried this and you need three 
>>> computers:
>>>
>>> A samba AD DC (perhaps a computer just running a KDC, but I didn't 
>>> try this)
>>> A Samba Unix domain member running as a fileserver
>>> A Samba Standalone server as the client
>>
>> The problem is that number 2 here is talking to an AD DC, what I want 
>> is number 2 here is talking to a KDC.
> 
> Whatever happens, you are going to have to join a computer to a KDC, I 
> just used what I know as a proof of concept.
> The problem, as far as I could see, is that the fileserver has to have a 
> 'cifs' SPN and I could only get this on a joined computer. I could get a 
> kerberos ticket on the client from the AD DC (KDC), but couldn't do 
> anything with it, because of the lack of the cifs SPN.
> 
>>
>> How do I make the unix samba server authenticate the client without an 
>> AD but with a simple KDC?
> 
> No idea, I have no use for such a set up, so have never tried. I think, 
> unless someone has already done what you require, you may be on your own.

this has been a quite common setup in certain environment. Iirc it 
should still work. Iirc when we applied security hardening recently we 
change to reject service tickets with a PAC when we're running in 
security=user mode, but the details escape my mind.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
SAMBA+ packages                         https://samba.plus/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20230414/9141c2b1/OpenPGP_signature.sig>