[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Christian Naumer christian.naumer at greyfish.net
Fri Apr 14 18:20:30 UTC 2023

Am 14.04.23 um 18:02 schrieb Daniel Lakeland via samba:
> Any help would be appreciated. I'm beginning to suspect this 
> functionality was lost.

There where some people that posted here with the same Problem.

I have never done this. So everything from here is just "having an 
educated guess".

If you look at the link I posted, there is a smb.conf given. I would 
take that as a starting point an leave out IPA where possible.

There idmap backend = sss is given. Does that exist on Debian? If not 
idmap nss should work for you.

What I also think is important is:

dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab


# We force 'member server' role to allow winbind automatically
# discover what is supported by the domain controller side
server role = member server
realm = IPA.REALM
netbios name = ${machine_name}
workgroup = ${netbios_name}

Apparently FreeIPA also has something like SID. Does your REALM have 
something like that?

In the mean time I tried to find some examples I found this (where you 
also posted)


This says two things other have this working with Samba >4.8 (4.13 in 
the Bug report) which means it should work for you (expect for this 
Bug). There are also some smb.conf given in that report.

Don't know if the above will help you...



More information about the samba mailing list