[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

Simon FONTENEAU sfonteneau at tranquil.it
Tue Feb 20 08:39:49 UTC 2024 

Oops the ticket already existed:
https://bugzilla.samba.org/show_bug.cgi?id=15389

Simon

Le 19/02/2024 à 12:53, Rowland Penny via samba a écrit :
> On Mon, 19 Feb 2024 12:21:53 +0100
> Simon FONTENEAU via samba<samba at lists.samba.org>  wrote:
>
>> Hello everyone,
>>
>> For the context, I'm trying to add support for offline join in WAPT
>> WADS OS deployment [1]. Currently WADS supports offline join of
>> Windows computers, and I want to add support for Linux computer using
>> SSSD as a authentication client (for the persons who might dismiss
>> this mail because of a certain keywords, yes it is related to sssd,
>> but it triggers a Samba bug). I also reuse the system keytab for wapt
>> agent auth.
> Why are you using sssd with Samba ?
> In my opinion, you only need one, not both, yes they will both do
> authentication, but if you require shares, then you need the Samba smbd
> binary, which in turn requires winbindd and winbindd and sssd both do
> the same thing and using sssd limits you to the 'sss' idmap backend.
>
> I personally do not see the point in using sssd with Samba, it gains
> you nothing, loses a lot and requires you to configure two conf files,
> but, hey, it is your decision.
>
>> On samba 4.19, if you add the following lines in smb.conf file
>> **BEFORE** running offlinejoin, net offlinejoin coredumps:
>>
>>       kerberos method = secrets and keytab
>>       dedicated keytab file =FILE:/etc/krb5.keytab
>>
>> With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit
>> smb.conf :
>>
>>       [global]
>>       workgroup = DOMAIN
>>       security = ADS
>>       realm = AD.DOMAIN.LAN
>>
>> Then run offlinejoin :
>>
>>       net offlinejoin requestodj  loadfile=/root/djoin.blob
>>
>> To get the keytab file, you can then add the "kerberos method" and
>> "dedicated keytab file" mentionned above **AFTER** offlinejoin, and
>> then run :
>>
>>       net ads keytab create
>>
>> Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.
>>
>> I'll fill a bugzilla entry for this coredump.
> Thank you.
>
>> Cheers,
>>
>> Simon
>>
>> PS: I know I can recreate a keytab from secrets.tdb, this mail was
>> just a follow-up to my previous email and the coredump scenario.
>>
>> PPS : I know a coredump is not proper error handling mechanism
>>
>> PPPS : this is not a SSSD vs Winbind argument, just trying to make
>> sssd works out of the box after silent automatic deployment
> It sounds to me (who has never tried an offline join) that this is
> something else that sssd cannot do by itself.
>
> Rowland
>

More information about the samba mailing list