[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Robert Schetterer rs at sys4.de
Fri Apr 14 19:49:14 UTC 2023 

Am 14.04.23 um 20:01 schrieb Rowland Penny via samba:
> 
> 
> On 14/04/2023 18:37, Ralph Boehme via samba wrote:
>> On 4/14/23 19:20, Rowland Penny via samba wrote:
>>>
>>>
>>> On 14/04/2023 17:48, Daniel Lakeland via samba wrote:
>>>> On 4/14/23 09:16, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> This intrigued me, so I went and tried this and you need three 
>>>>> computers:
>>>>>
>>>>> A samba AD DC (perhaps a computer just running a KDC, but I didn't 
>>>>> try this)
>>>>> A Samba Unix domain member running as a fileserver
>>>>> A Samba Standalone server as the client
>>>>
>>>> The problem is that number 2 here is talking to an AD DC, what I 
>>>> want is number 2 here is talking to a KDC.
>>>
>>> Whatever happens, you are going to have to join a computer to a KDC, 
>>> I just used what I know as a proof of concept.
>>> The problem, as far as I could see, is that the fileserver has to 
>>> have a 'cifs' SPN and I could only get this on a joined computer. I 
>>> could get a kerberos ticket on the client from the AD DC (KDC), but 
>>> couldn't do anything with it, because of the lack of the cifs SPN.
>>>
>>>>
>>>> How do I make the unix samba server authenticate the client without 
>>>> an AD but with a simple KDC?
>>>
>>> No idea, I have no use for such a set up, so have never tried. I 
>>> think, unless someone has already done what you require, you may be 
>>> on your own.
>>
>> this has been a quite common setup in certain environment. Iirc it 
>> should still work. Iirc when we applied security hardening recently we 
>> change to reject service tickets with a PAC when we're running in 
>> security=user mode, but the details escape my mind.
>>
>> -slow
>>
>>
> 
> It may be a common setup, but it isn't one I have come across before 
> (which doesn't mean much), but I think I have proof it should still 
> work, but perhaps just not as it did.
> It doesn't help that Daniel isn't sure what version of Samba he was 
> using and on what version of Debian (?). If we could find out these, we 
> may be able to track down what changed and when.
> 
> Rowland
> 
FYI perhaps involved

Microsoft crashed a lot of Linux Kerberos machines at my AD site by an 
update in November
2022

https://learn.microsoft.com/en-us/windows/release-health/resolved-issues-windows-server-2022#2953msgdesc

they fixed it later with

https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961


-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the samba mailing list