[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

Rowland Penny rpenny at samba.org
Sat Feb 17 09:28:54 UTC 2024 

On Sat, 17 Feb 2024 02:42:27 +0100
Simon FONTENEAU via samba <samba at lists.samba.org> wrote:

> Hello
> 
> I don't know if this is normal behavior (does the djoin have the
> spn?):

No idea, never used offline join.

> 
> When a have kerberos method in smb.conf :
> 
> kerberos method = secrets and keytab
> 
> Joining with offlinejoin does not work:
> 
> root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin
> ===============================================================
> INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid
> 3088 (4.19.4-Debian)
> If you are running a recent Samba version, and if you think this
> problem is not yet fixed in the latest versions, please consider
> reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting

First Samba should never segfault, so please follow the link above.

Next, what do you have in /root/djoin ?
Where are you running this command, it is, as far as I can see,
supposed to be run on a different machine to the one you are trying to
offline join.

The problem, at least partially, appears to be a lack of documentation
on this feature. It was introduced at 4.15.0 and if you read the
relevant release notes, you will find this:

Support for Offline Domain Join (ODJ)
The net utility is now able to support the offline domain join feature
as known from the Windows djoin.exe command for many years. Samba's
implementation is accessible via the 'net offlinejoin' subcommand. It
can provision computers and request offline joining for both Windows
and Unix machines. It is also possible to provision computers from
Windows (using djoin.exe) and use the generated data in Samba's 'net'
utility. The existing options for the provisioning and joining steps
are documented in the net(8) manpage. 

So you do what it says and read the net manpage, where you will find
this:

OFFLINEJOIN
Starting with version 4.15 Samba has support for offline join APIs.
Windows supports offline join capabilities since Windows 7 and Windows
2008 R2.

The following offline commands are implemented:
net offlinejoin provision - Provisions a machine account in AD.
net offlinejoin requestodj - Requests a domain offline join.

OFFLINEJOIN REQUESTODJ loadfile=FILENAME
Requests an offline domain join by providing file-based provisioning
data. This command supports the following additional parameters:

•   LOADFILE is a required parameter to load the provisioning from a file.

Example: net offlinejoin requestodj -U administrator%secret loadfile=provisioning.txt

Absolutely no information just what data is required in the 'loadfile'

Perhaps the person that added this feature might like to comment ?

Rowland

More information about the samba mailing list