[Samba] Setup LDAPS or other solution for ldap
Rowland Penny
rpenny at samba.org
Wed May 10 16:20:39 UTC 2023
On 10/05/2023 17:01, Kees van Vloten via samba wrote:
>
> Op 10-05-2023 om 11:33 schreef matti.kaupenjohann:
>>> It will work, as long as you can authenticate either with
>>> user/password or with kerberos you can run ldap queries.
>> So far I understand, Kerberos can work on systems which are not a
>> domain member, but I cannot find any instruction on how to achieve a
>> correct setup. Most instruction beginning with setup of a KDC which
>> makes no sense, since I already have the samba dc. The approach worked
>> fine for my server which is already domain member. But my non domain
>> member has kerberos not installed so the command kinit is obvious not
>> available. What boggers me as well: Is running "sudo kinit
>> administrator" on a non domain member really possible? How does kinit
>> know what the DC is?
>>
>> Matti
>>
> Indeed Samba-AD-DC includes a KDC, the only thing you have to do is to
> setup the kerberos client on the clients machines and point it to your DC.
>
> Now you can use kinit to get a ticket.
>
> You can also create a machine account or a service account (do set a
> random password), export the keytab and use that on your client so that
> services (like apache) can interact with kerberos without the machine
> being a domain-member.
>
>
> - Kees.
>
>
As far as I remember, it was never mentioned that it was required for
ldap searches to work on a non domain machine with kerberos, what I
posted will work on a domain member.
If you are going down the kerberos path on a non domain joined machine,
then you are going to need a search user in AD (with a password) and its
keytab.
The problem with ldaps is that it doesn't really work on Samba AD and
Kerberos is more secure.
Rowland
More information about the samba
mailing list