[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj
Simon FONTENEAU
sfonteneau at tranquil.it
Mon Feb 19 11:21:53 UTC 2024
Hello everyone,
For the context, I'm trying to add support for offline join in WAPT WADS
OS deployment [1]. Currently WADS supports offline join of Windows
computers, and I want to add support for Linux computer using SSSD as a
authentication client (for the persons who might dismiss this mail
because of a certain keywords, yes it is related to sssd, but it
triggers a Samba bug). I also reuse the system keytab for wapt agent auth.
On samba 4.19, if you add the following lines in smb.conf file
**BEFORE** running offlinejoin, net offlinejoin coredumps:
kerberos method = secrets and keytab
dedicated keytab file = FILE:/etc/krb5.keytab
With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit
smb.conf :
[global]
workgroup = DOMAIN
security = ADS
realm = AD.DOMAIN.LAN
Then run offlinejoin :
net offlinejoin requestodj loadfile=/root/djoin.blob
To get the keytab file, you can then add the "kerberos method" and
"dedicated keytab file" mentionned above **AFTER** offlinejoin, and then
run :
net ads keytab create
Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.
I'll fill a bugzilla entry for this coredump.
Cheers,
Simon
PS: I know I can recreate a keytab from secrets.tdb, this mail was just
a follow-up to my previous email and the coredump scenario.
PPS : I know a coredump is not proper error handling mechanism
PPPS : this is not a SSSD vs Winbind argument, just trying to make sssd
works out of the box after silent automatic deployment
[1] https://www.wapt.fr/en/doc/
Le 17/02/2024 à 02:42, Simon FONTENEAU via samba a écrit :
> Hello
>
> I don't know if this is normal behavior (does the djoin have the spn?):
>
> When a have kerberos method in smb.conf :
>
> kerberos method = secrets and keytab
>
> Joining with offlinejoin does not work:
>
> root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin
> ===============================================================
> INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid
3088 (4.19.4-Debian)
> If you are running a recent Samba version, and if you think this
problem is not yet fixed in the latest versions, please consider
reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
> ===============================================================
> PANIC (pid 3088): Signal 11: Erreur de segmentation in 4.19.4-Debian
> BACKTRACE: 17 stack frames:
> #0
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(log_stack_trace+0x2e)
[0x7f11c70db5be]
> #1
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(smb_panic+0x9)
[0x7f11c70db859]
> #2 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(+0x28f1)
[0x7f11c70db8f1]
> #3 /lib/x86_64-linux-gnu/libc.so.6(+0x3c050) [0x7f11c6bd4050]
> #4
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_search+0x3)
[0x7f11c7f03f63]
> #5
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_find_machine_acct+0x130)
[0x7f11c7f053a0]
> #6
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_get_service_principal_names+0x45)
[0x7f11c7f069d5]
> #7
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_keytab_create_default+0xdd)
[0x7f11c7f104cd]
> #8 /lib/x86_64-linux-gnu/libnetapi.so.1(libnet_Join+0x13c9)
[0x7f11c805ae19]
> #9
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin_l+0x229)
[0x7f11c8029059]
> #10
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin+0xdd)
[0x7f11c8022c6d]
> #11 net(net_offlinejoin_requestodj+0xff) [0x562f957fcdff]
> #12 net(net_offlinejoin+0xa5) [0x562f957fd795]
> #13 net(main+0xaca) [0x562f957b4cda]
> #14 /lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7f11c6bbf24a]
> #15 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85)
[0x7f11c6bbf305]
> #16 net(_start+0x21) [0x562f957b4ef1]
> Can not dump core: corepath not set up
More information about the samba
mailing list