[Pkg-samba-maint] Bug#1034417: samba: Samba can no longer authenticate users via Kerberos from a standalone KDC
Daniel Lakeland
dlakelan at street-artists.org
Fri Apr 14 18:49:37 BST 2023
Package: samba
Version: Installed: 2:4.17.7+dfsg-1
Severity: important
Tags: upstream
X-Debbugs-Cc: dlakelan at street-artists.org
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
For 15 years I've been using samba in a situation where the server is standalone,
and has users provided by LDAP and a kerberos KDC. The server uses sssd and works fine for ssh,
login, and every other kerberos enabled thing.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Upgraded samba from previous version, not sure which version but would have been 4.8 ish
* What was the outcome of this action?
samba no longer works with Kerberos unless it is joined to a full
Microsoft Active Directory Domain Controller.
Please see discussions on the samba mailing list in the thread starting here:
https://lists.samba.org/archive/samba/2023-April/244842.html
The situation appears to be that samba moved to using winbindd to do authentication, and this
combination samba + winbindd can't imagine a scenario in which there is a KDC which is not an AD DC.
What I want, and has worked for 15 years, and clearly has been done by plenty of other people in the
past based on google searches, is that a client gets a ticket from the KDC and uses it to authenticate
to a standalone samba server which is not a part of an AD DC but IS a part of an MIT Kerberos KDC realm.
It appears that this is an upstream "bug" in which a particular use case simply did not get considered
when rearchitecting the samba security system, and hence disappeared. However it affects Debian users
who have been using this technique such as myself, and certainly others.
This is probably related to previous bugs and other users have corroborated having related issues:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001053
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269
More information about the Pkg-samba-maint
mailing list