Ubuntu Server Guide

Active Directory SSSD keytab generation before starting sssd

Bug #1586967 reported by Christian Schmitt
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
Confirmed
Undecided
Andreas Hasenack

Bug Description

Actually for configuring SSSD on Ubuntu (https://help.ubuntu.com/lts/serverguide/sssd-ad.html).

The step sudo kinit Administrator and net ads join -k needs to be done before starting sssd.

See original description
Christian Schmitt (c-schmitt-h)
summary: - Active Directory SSSD missing keytab generation
+ Active Directory SSSD keytab generation before starting sssd
description: updated
Revision history for this message
Etienne Ringuet (eringuet) wrote :

I came to report same.
The guide states:

sudo systemctl restart ntp.service
sudo systemctl restart smbd.service nmbd.service
sudo systemctl start sssd.service

but

sssd.service depends on the keytab file which is not present until the machine is joined to AD. A user will see this error message:

Jun 17 11:02:17 hostname sssd[be[24166]: Failed to read keytab [default]: No such file or directory
Jun 17 11:02:17 hostname sssd[24158]: Exiting the SSSD. Could not restart critical service [example.com].

The documentation should be:

sudo systemctl restart ntp.service
sudo systemctl restart smbd.service nmbd.service
sudo kinit Administrator
sudo net ads join -k
sudo systemctl start sssd.service

Doug Smythies (dsmythies)
Changed in serverguide:
status: New → Confirmed
Revision history for this message
Dan Delaney (dan-launchpad) wrote :

As of the writing of this comment this page in the Server Guide still has not been corrected. It is incorrect in both the 14.04 LTS and 16.04 LTS Server Guides.
Please change the sssd-ad.html page to read as follows:

—————————————————————————--
Join the Active Directory

Now, restart ntp and samba:

sudo systemctl restart ntp
sudo systemctl restart smbd nmbd

Test the configuration by obtaining a Kerberos ticket:

sudo kinit Administrator

Verify the ticket with:

sudo klist

If there is a ticket with an expiration date listed, then it is time to join the domain:

sudo net ads join -k

Finally, start sssd:

sudo systemctl start sssd

Revision history for this message
Jason Heeris (detly) wrote :

There seems to be a bit of a chicken and egg problem here. smbd won't start with

[2019/12/05 10:22:51.398269, 0] ../../source3/auth/auth_util.c:1385(make_new_session_in
  create_local_token failed: NT_STATUS_NO_MEMORY
[2019/12/05 10:22:51.398532, 0] ../../source3/smbd/server.c:2047(main)
  ERROR: failed to setup guest info.

This could be related to recent samba versions removing some sort of fallback? See eg. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269#40

I have also had issues from testparm relating to idmap configuration (see next message in link above).

Andreas Hasenack (ahasenack)
Changed in serverguide:
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I basically rewrote the sssd page and this is the updated content: https://discourse.ubuntu.com/t/service-sssd/11579

The part about joining a samba host to an AD domain I haven't gotten to yet.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.