Christian, Mark
2021-Feb-05 22:48 UTC
[Samba] should lack of secrets.tdb prevent smbd from starting?
I don't require a correctly configured secrets I use samba 4.10.5 to provide access to file shares over cifs/smb. I have non-samba processes to manage host keytabs and user/group mappings. My smb.conf "security = ads" configuration seems to work as intended, but only if I ensure a "generic" secrets.tdb file exists, otherwise smbd will refuse to start. By "generic" I mean the secrets.tdb which is shared amongst my nodes has either no or incorrect data for keys found in this tdb. My assumption is that as long as the AD computer object associated with the samba cifs SPN doesn't have it's password changed, my samba service will continue to work. Am I mistaken? Since I manage the samba computer object and keytab outside of net ads, why do I need secrets.tdb, and must lack of this file prevent smbd from running? Mark
Andrew Bartlett
2021-Feb-09 04:50 UTC
[Samba] should lack of secrets.tdb prevent smbd from starting?
On Fri, 2021-02-05 at 22:48 +0000, Christian, Mark via samba wrote:> I don't require a correctly configured secretsI'm sorry, but Samba does. You mention you are in an AD domain, so we need winbindd running and so a secret in secrets.tdb to connect to the domain with. If you really must insist on pretending that you are not in an AD domain, then use security=user, but I warn you that if we obtain a PAC in that situation things could get really ugly fast, so you will want to disable that. You are in a niche within a niche, and while it might work, and might have worked, please just join all other Samba users and have Samba join the domain in the typical fashion. Your situation it totally untested and as we say: untested code is broken code. Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba