[Samba] Is LDAP + Kerberos without Active Directory no longer supported?

Daniel Lakeland dlakelan at street-artists.org
Fri Apr 14 19:52:22 UTC 2023

On 4/14/23 11:20, Christian Naumer via samba wrote:
> Am 14.04.23 um 18:02 schrieb Daniel Lakeland via samba:
>> Any help would be appreciated. I'm beginning to suspect this 
>> functionality was lost.
> There where some people that posted here with the same Problem.
> I have never done this. So everything from here is just "having an 
> educated guess".
> If you look at the link I posted, there is a smb.conf given. I would 
> take that as a starting point an leave out IPA where possible.
> There idmap backend = sss is given. Does that exist on Debian? If not 
> idmap nss should work for you.

Oh ok, let me check this out, yes I believe this is available to me.

> What I also think is important is:
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> kerberos method = dedicated keytab
Hmm. ok I am using system keytab, but I could go this route if needed.

> and
> # We force 'member server' role to allow winbind automatically
> # discover what is supported by the domain controller side
> server role = member server
> realm = IPA.REALM
> netbios name = ${machine_name}
> workgroup = ${netbios_name}
> Apparently FreeIPA also has something like SID. Does your REALM have 
> something like that?

No I have no SID field in the LDAP database, it's a pure Unix rfc2798 or 
whatever type schema inetOrgPerson etc. I think this is where winbind 
simply refuses to work, it expects an SID.

More information about the samba mailing list