[Samba] Keytab MEMORY:cifs_srv_keytab is nonexistent or empty

Rowland penny rpenny at samba.org
Thu May 6 17:24:48 UTC 2021 

On 06/05/2021 17:45, Kees van Vloten wrote:
> On 06-05-2021 18:34, Rowland penny via samba wrote:
>> On 06/05/2021 17:24, Jeremy Monnet wrote:
>>> Hi,
>>>
>>> On Thu, May 6, 2021 at 2:33 PM Rowland penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On 06/05/2021 13:14, Jeremy Monnet wrote:
>>>>>   No, I didn't see that part ?! I hope I can still authenticate user
>>>>> against an AD using sssd, and have samba autonomous to provide Shares
>>>>> ? I couldn't find any article or information on that subject ?
>>>>
>>>> Up until Samba 4.8.0 , the smbd daemon (which you need for shares) 
>>>> could
>>>> 'talk' directly to AD, so you could use sssd with Samba and have 
>>>> shares.
>>>> When Samba 4.8.0 was released, things changed, smbd can no longer 
>>>> 'talk'
>>>> to AD and on a Unix domain member, you need to use 'security = ADS' 
>>>> and
>>>> run winbind and sssd and winbind are incompatible. If you want to use
>>>> Samba with shares, you need to remove sssd.
>>>>
>>> So Redhat does support that
>>> https://access.redhat.com/solutions/3802321 (It is probably also
>>> behind a paywall - though I think you only need an account, not a
>>> paying one, never mind...)
>>> In short :
>>>
>>> realm  join testlab.redhat.com -U Administrator --client-software=sssd
>>> --membership-software=samba
>>> and
>>>
>>> [global]
>>>      realm = TESTLAB.REDHAT.COM
>>>      workgroup = TESTLAB
>>>      security = ads
>>>      kerberos method = secrets and keytab
>>> [...]
>>>     idmap config * : backend = tdb
>>>      idmap config * :  range = 10000-199999
>>>      idmap config TESTLAB : backend = sss
>>>      idmap config TESTLAB : range = 200000-2147483647
>>>
>>>
>>> I do not know whether it works by accident, but eventually I am
>>> authenticating via SSSD and offering Shares via smb at the same time.
>>> I will probably have to migrate that soon nevertheless... :-/
>>>
>>> Thanks for your insight,
>>>
>>> Jeremy
>>
>>
>> Yes they might, but, as you say, you only get authentication, you do 
>> not get shares. You cannot run sssd and winbind together without 
>> expecting problems, they both contain their own versions of the 
>> winbind libs.
>>
>> If you just want authentication, then run sssd without Samba, but if 
>> you require shares, then run smbd with winbind without sssd.
>>
>> Rowland
>>
>>
>>
>>
> Would it be possible to combine the two, local/ssh authentication and 
> being an smb fileserver?
> Some weeks ago we had a conversation about pam_winbind and logging on 
> with an expired password. The you pointed at this bug:
>
> https://bugzilla.samba.org/show_bug.cgi?id=14622
>
> Which would drive me to use sssd + pam_sss instead of winbind  + 
> pam_winbind
>
> Kees
>

That is still a valid bug, I wonder if using ssh with kerberos would 
work (or not, as the case may be).

Rowland

More information about the samba mailing list