thr3ads.net - samba - [Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj [Feb 2024]

If this information is useful, please help other people find it:
Share via:

Simon FONTENEAU

2024-Feb-19 11:21 UTC

[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

Hello everyone,

For the context, I'm trying to add support for offline join in WAPT WADS 
OS deployment [1]. Currently WADS supports offline join of Windows 
computers, and I want to add support for Linux computer using SSSD as a 
authentication client (for the persons who might dismiss this mail 
because of a certain keywords, yes it is related to sssd, but it 
triggers a Samba bug). I also reuse the system keytab for wapt agent auth.

On samba 4.19, if you add the following lines in smb.conf file 
**BEFORE** running offlinejoin, net offlinejoin coredumps:

     kerberos method = secrets and keytab
     dedicated keytab file = FILE:/etc/krb5.keytab

With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit 
smb.conf :

     [global]
     workgroup = DOMAIN
     security = ADS
     realm = AD.DOMAIN.LAN

Then run offlinejoin :

     net offlinejoin requestodj  loadfile=/root/djoin.blob

To get the keytab file, you can then add the "kerberos method" and 
"dedicated keytab file" mentionned above **AFTER** offlinejoin, and
then
run :

     net ads keytab create

Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.

I'll fill a bugzilla entry for this coredump.

Cheers,

Simon

PS: I know I can recreate a keytab from secrets.tdb, this mail was just 
a follow-up to my previous email and the coredump scenario.

PPS : I know a coredump is not proper error handling mechanism

PPPS : this is not a SSSD vs Winbind argument, just trying to make sssd 
works out of the box after silent automatic deployment


[1] https://www.wapt.fr/en/doc/


Le 17/02/2024 ? 02:42, Simon FONTENEAU via samba a ?crit :
 > Hello
 >
 > I don't know if this is normal behavior (does the djoin have the
spn?):
 >
 > When a have kerberos method in smb.conf :
 >
 > kerberos method = secrets and keytab
 >
 > Joining with offlinejoin does not work:
 >
 > root at testjoinlinux:/# net offlinejoin requestodj loadfile=/root/djoin
 > ============================================================== >
INTERNAL ERROR: Signal 11: Erreur de segmentation in net () () pid
3088 (4.19.4-Debian)
 > If you are running a recent Samba version, and if you think this 
problem is not yet fixed in the latest versions, please consider 
reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
 > ============================================================== > PANIC
(pid 3088): Signal 11: Erreur de segmentation in 4.19.4-Debian
 > BACKTRACE: 17 stack frames:
 >  #0 
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(log_stack_trace+0x2e) 
[0x7f11c70db5be]
 >  #1 
/usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(smb_panic+0x9) 
[0x7f11c70db859]
 >  #2 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(+0x28f1) 
[0x7f11c70db8f1]
 >  #3 /lib/x86_64-linux-gnu/libc.so.6(+0x3c050) [0x7f11c6bd4050]
 >  #4 
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_search+0x3) 
[0x7f11c7f03f63]
 >  #5 
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_find_machine_acct+0x130) 
[0x7f11c7f053a0]
 >  #6 
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_get_service_principal_names+0x45)
[0x7f11c7f069d5]
 >  #7 
/usr/lib/x86_64-linux-gnu/samba/libads-samba4.so.0(ads_keytab_create_default+0xdd)
[0x7f11c7f104cd]
 >  #8 /lib/x86_64-linux-gnu/libnetapi.so.1(libnet_Join+0x13c9) 
[0x7f11c805ae19]
 >  #9 
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin_l+0x229) 
[0x7f11c8029059]
 >  #10 
/lib/x86_64-linux-gnu/libnetapi.so.1(NetRequestOfflineDomainJoin+0xdd) 
[0x7f11c8022c6d]
 >  #11 net(net_offlinejoin_requestodj+0xff) [0x562f957fcdff]
 >  #12 net(net_offlinejoin+0xa5) [0x562f957fd795]
 >  #13 net(main+0xaca) [0x562f957b4cda]
 >  #14 /lib/x86_64-linux-gnu/libc.so.6(+0x2724a) [0x7f11c6bbf24a]
 >  #15 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) 
[0x7f11c6bbf305]
 >  #16 net(_start+0x21) [0x562f957b4ef1]
 > Can not dump core: corepath not set up

Rowland Penny

2024-Feb-19 11:53 UTC

head link

[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

On Mon, 19 Feb 2024 12:21:53 +0100
Simon FONTENEAU via samba <samba at lists.samba.org> wrote:
> Hello everyone,
> 
> For the context, I'm trying to add support for offline join in WAPT
> WADS OS deployment [1]. Currently WADS supports offline join of
> Windows computers, and I want to add support for Linux computer using
> SSSD as a authentication client (for the persons who might dismiss
> this mail because of a certain keywords, yes it is related to sssd,
> but it triggers a Samba bug). I also reuse the system keytab for wapt
> agent auth.
Why are you using sssd with Samba ?
In my opinion, you only need one, not both, yes they will both do
authentication, but if you require shares, then you need the Samba smbd
binary, which in turn requires winbindd and winbindd and sssd both do
the same thing and using sssd limits you to the 'sss' idmap backend.

I personally do not see the point in using sssd with Samba, it gains
you nothing, loses a lot and requires you to configure two conf files,
but, hey, it is your decision.
> 
> On samba 4.19, if you add the following lines in smb.conf file 
> **BEFORE** running offlinejoin, net offlinejoin coredumps:
> 
>      kerberos method = secrets and keytab
>      dedicated keytab file = FILE:/etc/krb5.keytab
> 
> With a minimal /etc/samba/smb.conf, net offlinejoin does works. Edit 
> smb.conf :
> 
>      [global]
>      workgroup = DOMAIN
>      security = ADS
>      realm = AD.DOMAIN.LAN
> 
> Then run offlinejoin :
> 
>      net offlinejoin requestodj  loadfile=/root/djoin.blob
> 
> To get the keytab file, you can then add the "kerberos method"
and
> "dedicated keytab file" mentionned above **AFTER** offlinejoin,
and
> then run :
> 
>      net ads keytab create
> 
> Now I have a system keytab /etc/krb5.keytab file for SSSD and WAPT.
> 
> I'll fill a bugzilla entry for this coredump.
Thank you.
> 
> Cheers,
> 
> Simon
> 
> PS: I know I can recreate a keytab from secrets.tdb, this mail was
> just a follow-up to my previous email and the coredump scenario.
> 
> PPS : I know a coredump is not proper error handling mechanism
> 
> PPPS : this is not a SSSD vs Winbind argument, just trying to make
> sssd works out of the box after silent automatic deployment
It sounds to me (who has never tried an offline join) that this is
something else that sssd cannot do by itself.

Rowland

Apparently Analagous Threads

Search for more reasonably related threads

samba - Feb 2024 - Fail kerberos method = secrets and keytab and net offlinejoin requestodj

[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

[Samba] Fail kerberos method = secrets and keytab and net offlinejoin requestodj

Apparently Analagous Threads