[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

Rowland Penny rpenny at samba.org
Mon Feb 19 11:53:16 UTC 2024 

On Mon, 19 Feb 2024 12:21:53 +0100
Simon FONTENEAU via samba <samba at lists.samba.org> wrote:

> Hello everyone,
> 
> For the context, I'm trying to add support for offline join in WAPT
> WADS OS deployment [1]. Currently WADS supports offline join of
> Windows computers, and I want to add support for Linux computer using
> SSSD as a authentication client (for the persons who might dismiss
> this mail because of a certain keywords, yes it is related to sssd,
> but it triggers a Samba bug). I also reuse the system keytab for wapt
> agent auth.

Why are you using sssd with Samba ?
In my opinion, you only need one, not both, yes they will both do
authentication, but if you require shares, then you need the Samba smbd
binary, which in turn requires winbindd and winbindd and sssd both do
the same thing and using sssd limits you to the 'sss' idmap backend.

I personally do not see the point in using sssd with Samba, it gains
you nothing, loses a lot and requires you to configure two conf files,
but, hey, it is your decision.

> 
> On samba 4.19, if you add the following lines in smb.conf file 
> **BEFORE** running offlinejoin, net offlinejoin coredumps:
> 
>      kerberos method = secrets and keytab
>      dedicated keytab file = FILE:/etc/krb5.keytab
> 
> With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit 
> smb.conf :
> 
>      [global]
>      workgroup = DOMAIN
>      security = ADS
>      realm = AD.DOMAIN.LAN
> 
> Then run offlinejoin :
> 
>      net offlinejoin requestodj  loadfile=/root/djoin.blob
> 
> To get the keytab file, you can then add the "kerberos method" and 
> "dedicated keytab file" mentionned above **AFTER** offlinejoin, and
> then run :
> 
>      net ads keytab create
> 
> Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.
> 
> I'll fill a bugzilla entry for this coredump.

Thank you.

> 
> Cheers,
> 
> Simon
> 
> PS: I know I can recreate a keytab from secrets.tdb, this mail was
> just a follow-up to my previous email and the coredump scenario.
> 
> PPS : I know a coredump is not proper error handling mechanism
> 
> PPPS : this is not a SSSD vs Winbind argument, just trying to make
> sssd works out of the box after silent automatic deployment

It sounds to me (who has never tried an offline join) that this is
something else that sssd cannot do by itself.

Rowland

More information about the samba mailing list