[Samba] Is LDAP + Kerberos without Active Directory no longer supported?
Daniel Lakeland
dlakelan at street-artists.org
Fri Apr 14 19:52:22 UTC 2023
On 4/14/23 11:20, Christian Naumer via samba wrote:
> Am 14.04.23 um 18:02 schrieb Daniel Lakeland via samba:
>> Any help would be appreciated. I'm beginning to suspect this
>> functionality was lost.
>
> There where some people that posted here with the same Problem.
>
> I have never done this. So everything from here is just "having an
> educated guess".
>
> If you look at the link I posted, there is a smb.conf given. I would
> take that as a starting point an leave out IPA where possible.
>
> There idmap backend = sss is given. Does that exist on Debian? If not
> idmap nss should work for you.
Oh ok, let me check this out, yes I believe this is available to me.
>
> What I also think is important is:
>
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> kerberos method = dedicated keytab
>
Hmm. ok I am using system keytab, but I could go this route if needed.
>
> and
>
> # We force 'member server' role to allow winbind automatically
> # discover what is supported by the domain controller side
> server role = member server
> realm = IPA.REALM
> netbios name = ${machine_name}
> workgroup = ${netbios_name}
>
> Apparently FreeIPA also has something like SID. Does your REALM have
> something like that?
No I have no SID field in the LDAP database, it's a pure Unix rfc2798 or
whatever type schema inetOrgPerson etc. I think this is where winbind
simply refuses to work, it expects an SID.
More information about the samba
mailing list