Simon FONTENEAU
2024-Feb-19 11:21 UTC
[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj
Hello everyone,
For the context, I'm trying to add support for offline join in WAPT WADS
OS deployment [1]. Currently WADS supports offline join of Windows
computers, and I want to add support for Linux computer using SSSD as a
authentication client (for the persons who might dismiss this mail
because of a certain keywords, yes it is related to sssd, but it
triggers a Samba bug). I also reuse the system keytab for wapt agent auth.
On samba 4.19, if you add the following lines in smb.conf file
**BEFORE** running offlinejoin, net offlinejoin coredumps:
kerberos method = secrets and keytab
dedicated keytab file = FILE:/etc/krb5.keytab
With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit
smb.conf :
[global]
workgroup = DOMAIN
security = ADS
realm = AD.DOMAIN.LAN
Then run offlinejoin :
net offlinejoin requestodj loadfile=/root/djoin.blob
To get the keytab file, you can then add the "kerberos method" and
"dedicated keytab file" mentionned above **AFTER** offlinejoin, and
then
run :
net ads keytab create
Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.
I'll fill a bugzilla entry for this coredump.
Cheers,
Simon
PS: I know I can recreate a keytab from secrets.tdb, this mail was just
a follow-up to my previous email and the coredump scenario.
PPS : I know a coredump is not proper error handling mechanism
PPPS : this is not a SSSD vs Winbind argument, just trying to make sssd
works out of the box after silent automatic deployment
[1] https://www.wapt.fr/en/doc/
Le 17/02/2024 ? 02:42, Simon FONTENEAU via samba a ?crit :
> Hello
>
> I don't know if this is normal behavior (does the djoin have the
spn?):
>
> When a have kerberos method in smb.conf :
>
> kerberos method = secrets and keytab
>
> Joining with offlinejoin does not work:
>
> root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin
> ============================================================== >
INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid
3088 (4.19.4-Debian)
> If you are running a recent Samba version, and if you think this
problem is not yet fixed in the latest versions, please consider
reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
> ============================================================== > PANIC
(pid 3088): Signal 11: Erreur de segmentation in 4.19.4-Debian
> BACKTRACE: 17 stack frames:
> #0
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(log_stack_trace+0x2e)
[0x7f11c70db5be]
> #1
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(smb_panic+0x9)
[0x7f11c70db859]
> #2 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(+0x28f1)
[0x7f11c70db8f1]
> #3 /lib/x86_64-linux-gnu/libc.so.6(+0x3c050) [0x7f11c6bd4050]
> #4
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_search+0x3)
[0x7f11c7f03f63]
> #5
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_find_machine_acct+0x130)
[0x7f11c7f053a0]
> #6
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_get_service_principal_names+0x45)
[0x7f11c7f069d5]
> #7
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_keytab_create_default+0xdd)
[0x7f11c7f104cd]
> #8 /lib/x86_64-linux-gnu/libnetapi.so.1(libnet_Join+0x13c9)
[0x7f11c805ae19]
> #9
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin_l+0x229)
[0x7f11c8029059]
> #10
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin+0xdd)
[0x7f11c8022c6d]
> #11 net(net_offlinejoin_requestodj+0xff) [0x562f957fcdff]
> #12 net(net_offlinejoin+0xa5) [0x562f957fd795]
> #13 net(main+0xaca) [0x562f957b4cda]
> #14 /lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7f11c6bbf24a]
> #15 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85)
[0x7f11c6bbf305]
> #16 net(_start+0x21) [0x562f957b4ef1]
> Can not dump core: corepath not set up
Rowland Penny
2024-Feb-19 11:53 UTC
[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj
On Mon, 19 Feb 2024 12:21:53 +0100 Simon FONTENEAU via samba <samba at lists.samba.org> wrote:> Hello everyone, > > For the context, I'm trying to add support for offline join in WAPT > WADS OS deployment [1]. Currently WADS supports offline join of > Windows computers, and I want to add support for Linux computer using > SSSD as a authentication client (for the persons who might dismiss > this mail because of a certain keywords, yes it is related to sssd, > but it triggers a Samba bug). I also reuse the system keytab for wapt > agent auth.Why are you using sssd with Samba ? In my opinion, you only need one, not both, yes they will both do authentication, but if you require shares, then you need the Samba smbd binary, which in turn requires winbindd and winbindd and sssd both do the same thing and using sssd limits you to the 'sss' idmap backend. I personally do not see the point in using sssd with Samba, it gains you nothing, loses a lot and requires you to configure two conf files, but, hey, it is your decision.> > On samba 4.19, if you add the following lines in smb.conf file > **BEFORE** running offlinejoin, net offlinejoin coredumps: > > kerberos method = secrets and keytab > dedicated keytab file = FILE:/etc/krb5.keytab > > With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit > smb.conf : > > [global] > workgroup = DOMAIN > security = ADS > realm = AD.DOMAIN.LAN > > Then run offlinejoin : > > net offlinejoin requestodj loadfile=/root/djoin.blob > > To get the keytab file, you can then add the "kerberos method" and > "dedicated keytab file" mentionned above **AFTER** offlinejoin, and > then run : > > net ads keytab create > > Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT. > > I'll fill a bugzilla entry for this coredump.Thank you.> > Cheers, > > Simon > > PS: I know I can recreate a keytab from secrets.tdb, this mail was > just a follow-up to my previous email and the coredump scenario. > > PPS : I know a coredump is not proper error handling mechanism > > PPPS : this is not a SSSD vs Winbind argument, just trying to make > sssd works out of the box after silent automatic deploymentIt sounds to me (who has never tried an offline join) that this is something else that sssd cannot do by itself. Rowland
Reasonably Related Threads
- Fail kerberos method = secrets and keytab and net offlinejoin requestodj
- Fail kerberos method = secrets and keytab and net offlinejoin requestodj
- [Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
- [Announce] Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are available for Download
- How to automatically store the macAddress in AD