[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Robert Schetterer rs at sys4.de
Fri Apr 14 19:49:14 UTC 2023

Am 14.04.23 um 20:01 schrieb Rowland Penny via samba:
> On 14/04/2023 18:37, Ralph Boehme via samba wrote:
>> On 4/14/23 19:20, Rowland Penny via samba wrote:
>>> On 14/04/2023 17:48, Daniel Lakeland via samba wrote:
>>>> On 4/14/23 09:16, Rowland Penny via samba wrote:
>>>>> This intrigued me, so I went and tried this and you need three 
>>>>> computers:
>>>>> A samba AD DC (perhaps a computer just running a KDC, but I didn't 
>>>>> try this)
>>>>> A Samba Unix domain member running as a fileserver
>>>>> A Samba Standalone server as the client
>>>> The problem is that number 2 here is talking to an AD DC, what I 
>>>> want is number 2 here is talking to a KDC.
>>> Whatever happens, you are going to have to join a computer to a KDC, 
>>> I just used what I know as a proof of concept.
>>> The problem, as far as I could see, is that the fileserver has to 
>>> have a 'cifs' SPN and I could only get this on a joined computer. I 
>>> could get a kerberos ticket on the client from the AD DC (KDC), but 
>>> couldn't do anything with it, because of the lack of the cifs SPN.
>>>> How do I make the unix samba server authenticate the client without 
>>>> an AD but with a simple KDC?
>>> No idea, I have no use for such a set up, so have never tried. I 
>>> think, unless someone has already done what you require, you may be 
>>> on your own.
>> this has been a quite common setup in certain environment. Iirc it 
>> should still work. Iirc when we applied security hardening recently we 
>> change to reject service tickets with a PAC when we're running in 
>> security=user mode, but the details escape my mind.
>> -slow
> It may be a common setup, but it isn't one I have come across before 
> (which doesn't mean much), but I think I have proof it should still 
> work, but perhaps just not as it did.
> It doesn't help that Daniel isn't sure what version of Samba he was 
> using and on what version of Debian (?). If we could find out these, we 
> may be able to track down what changed and when.
> Rowland
FYI perhaps involved

Microsoft crashed a lot of Linux Kerberos machines at my AD site by an 
update in November


they fixed it later with


[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the samba mailing list