Simon FONTENEAU
2024-Feb-17 01:42 UTC
[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj
Hello I don't know if this is normal behavior (does the djoin have the spn?): When a have kerberos method in smb.conf : kerberos method = secrets and keytab Joining with offlinejoin does not work: root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin ==============================================================INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid 3088 (4.19.4-Debian) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting ==============================================================PANIC (pid 3088): Signal 11: Erreur de segmentation in 4.19.4-Debian BACKTRACE: 17 stack frames: ?#0 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(log_stack_trace+0x2e) [0x7f11c70db5be] ?#1 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(smb_panic+0x9) [0x7f11c70db859] ?#2 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(+0x28f1) [0x7f11c70db8f1] ?#3 /lib/x86_64-linux-gnu/libc.so.6(+0x3c050) [0x7f11c6bd4050] ?#4 /usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_search+0x3) [0x7f11c7f03f63] ?#5 /usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_find_machine_acct+0x130) [0x7f11c7f053a0] ?#6 /usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_get_service_principal_names+0x45) [0x7f11c7f069d5] ?#7 /usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_keytab_create_default+0xdd) [0x7f11c7f104cd] ?#8 /lib/x86_64-linux-gnu/libnetapi.so.1(libnet_Join+0x13c9) [0x7f11c805ae19] ?#9 /lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin_l+0x229) [0x7f11c8029059] ?#10 /lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin+0xdd) [0x7f11c8022c6d] ?#11 net(net_offlinejoin_requestodj+0xff) [0x562f957fcdff] ?#12 net(net_offlinejoin+0xa5) [0x562f957fd795] ?#13 net(main+0xaca) [0x562f957b4cda] ?#14 /lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7f11c6bbf24a] ?#15 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7f11c6bbf305] ?#16 net(_start+0x21) [0x562f957b4ef1] Can not dump core: corepath not set up
Rowland Penny
2024-Feb-17 09:28 UTC
[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj
On Sat, 17 Feb 2024 02:42:27 +0100 Simon FONTENEAU via samba <samba at lists.samba.org> wrote:> Hello > > I don't know if this is normal behavior (does the djoin have the > spn?):No idea, never used offline join.> > When a have kerberos method in smb.conf : > > kerberos method = secrets and keytab > > Joining with offlinejoin does not work: > > root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin > ==============================================================> INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid > 3088 (4.19.4-Debian) > If you are running a recent Samba version, and if you think this > problem is not yet fixed in the latest versions, please consider > reporting this bug, see https://wiki.samba.org/index.php/Bug_ReportingFirst Samba should never segfault, so please follow the link above. Next, what do you have in /root/djoin ? Where are you running this command, it is, as far as I can see, supposed to be run on a different machine to the one you are trying to offline join. The problem, at least partially, appears to be a lack of documentation on this feature. It was introduced at 4.15.0 and if you read the relevant release notes, you will find this: Support for Offline Domain Join (ODJ) The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage. So you do what it says and read the net manpage, where you will find this: OFFLINEJOIN Starting with version 4.15 Samba has support for offline join APIs. Windows supports offline join capabilities since Windows 7 and Windows 2008 R2. The following offline commands are implemented: net offlinejoin provision - Provisions a machine account in AD. net offlinejoin requestodj - Requests a domain offline join. OFFLINEJOIN REQUESTODJ loadfile=FILENAME Requests an offline domain join by providing file-based provisioning data. This command supports the following additional parameters: ? LOADFILE is a required parameter to load the provisioning from a file. Example: net offlinejoin requestodj -U administrator%secret loadfile=provisioning.txt Absolutely no information just what data is required in the 'loadfile' Perhaps the person that added this feature might like to comment ? Rowland
Simon FONTENEAU
2024-Feb-19 11:21 UTC
[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj
Hello everyone,
For the context, I'm trying to add support for offline join in WAPT WADS
OS deployment [1]. Currently WADS supports offline join of Windows
computers, and I want to add support for Linux computer using SSSD as a
authentication client (for the persons who might dismiss this mail
because of a certain keywords, yes it is related to sssd, but it
triggers a Samba bug). I also reuse the system keytab for wapt agent auth.
On samba 4.19, if you add the following lines in smb.conf file
**BEFORE** running offlinejoin, net offlinejoin coredumps:
kerberos method = secrets and keytab
dedicated keytab file = FILE:/etc/krb5.keytab
With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit
smb.conf :
[global]
workgroup = DOMAIN
security = ADS
realm = AD.DOMAIN.LAN
Then run offlinejoin :
net offlinejoin requestodj loadfile=/root/djoin.blob
To get the keytab file, you can then add the "kerberos method" and
"dedicated keytab file" mentionned above **AFTER** offlinejoin, and
then
run :
net ads keytab create
Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.
I'll fill a bugzilla entry for this coredump.
Cheers,
Simon
PS: I know I can recreate a keytab from secrets.tdb, this mail was just
a follow-up to my previous email and the coredump scenario.
PPS : I know a coredump is not proper error handling mechanism
PPPS : this is not a SSSD vs Winbind argument, just trying to make sssd
works out of the box after silent automatic deployment
[1] https://www.wapt.fr/en/doc/
Le 17/02/2024 ? 02:42, Simon FONTENEAU via samba a ?crit :
> Hello
>
> I don't know if this is normal behavior (does the djoin have the
spn?):
>
> When a have kerberos method in smb.conf :
>
> kerberos method = secrets and keytab
>
> Joining with offlinejoin does not work:
>
> root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin
> ============================================================== >
INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid
3088 (4.19.4-Debian)
> If you are running a recent Samba version, and if you think this
problem is not yet fixed in the latest versions, please consider
reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
> ============================================================== > PANIC
(pid 3088): Signal 11: Erreur de segmentation in 4.19.4-Debian
> BACKTRACE: 17 stack frames:
> #0
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(log_stack_trace+0x2e)
[0x7f11c70db5be]
> #1
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(smb_panic+0x9)
[0x7f11c70db859]
> #2 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(+0x28f1)
[0x7f11c70db8f1]
> #3 /lib/x86_64-linux-gnu/libc.so.6(+0x3c050) [0x7f11c6bd4050]
> #4
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_search+0x3)
[0x7f11c7f03f63]
> #5
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_find_machine_acct+0x130)
[0x7f11c7f053a0]
> #6
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_get_service_principal_names+0x45)
[0x7f11c7f069d5]
> #7
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_keytab_create_default+0xdd)
[0x7f11c7f104cd]
> #8 /lib/x86_64-linux-gnu/libnetapi.so.1(libnet_Join+0x13c9)
[0x7f11c805ae19]
> #9
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin_l+0x229)
[0x7f11c8029059]
> #10
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin+0xdd)
[0x7f11c8022c6d]
> #11 net(net_offlinejoin_requestodj+0xff) [0x562f957fcdff]
> #12 net(net_offlinejoin+0xa5) [0x562f957fd795]
> #13 net(main+0xaca) [0x562f957b4cda]
> #14 /lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7f11c6bbf24a]
> #15 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85)
[0x7f11c6bbf305]
> #16 net(_start+0x21) [0x562f957b4ef1]
> Can not dump core: corepath not set up
Maybe Matching Threads
- Fail kerberos method = secrets and keytab and net offlinejoin requestodj
- Fail kerberos method = secrets and keytab and net offlinejoin requestodj
- [Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
- [Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
- samba49 offline join