[Samba] Setup LDAPS or other solution for ldap

[Rowland Penny]

On 11/05/2023 09:51, matti.kaupenjohann via samba wrote:
> 
>> The problem is, the OP doesn't want to join the domain with all their 
>> computers. Now you and I know that, to get the best results, it is 
>> better to join a domain, somehow we have to convince people of this.
> 
> I am convinced but do not understand everything yet:)
> 
> If I understand this correct, I join the domain with all our client 
> access machines and our servers. I limit the direct authentication to 
> our servers via group policies. Now I have as example a guacamole 
> instance running on one of our servers. Only the domain-administrator 
> and the server-auth-group has login access. For the guacamole service I 
> want that my users can connect to guacamole via ldap (or in this case 
> via ldaps?). For my test scenario I would use my self signed 
> certificates but later in a real scenario we have access to real ones. 
> So with this example it sounds like the easiest and best approach with 
> kinit and not ldaps. Am I right?
> 

I am no longer sure, Andrew has said previously that using kerberos 
instead of ldaps is more secure because it is encrypted 'end-to-end', 
but now he seems to be saying something different. He has also 
previously said that ldaps doesn't work fully on Samba AD and to use 
kerberos instead, but again, he now seems to be saying the opposite.

However, if Apache Guacamole can use kerberos (and it should be able 
to), then it will be easier to use, but only from a domain joined 
machine. On a non joined machine, it should be able to make it work, but 
will require much more configuration and maintenance.

The reason that domains came about was that admins had to duplicate work 
on numerous machines and then keep them in sync. With domains, you only 
have one point of major maintenance.

Rowland