Ubuntu
samba package

Bug #1761737
Comment #14

Comment 14 for bug 1761737

Revision history for this message

Alexander Fieroch (fieroch) wrote on 2018-04-13:

#14

> Ok, so to summarize:
> - sssd is providing user and groups from AD (via /etc/nsswitch.conf)
> - realmd was used to join the machine to AD for the above
> - local user authentication is done via pam_sss and using kerberos. Shell users get a ticket upon login
> - samba is not using winbind

that's right

> I have a feeling samba is missing it's account with the AD server.

The machine account on the AD server does exist.

> I don't know if the sssd join works for samba's "security = ADS", I have never tested that.

Up to 17.10 it is working using realm to join the client to the AD and smb is working too.

> I always used net ads join. Is this how you configured the non-18.04 samba member servers? With just sssd, no "net ads join"?

Yes, all our clients and servers are not joined to AD by "net ads join". These are all joined by realm and use sssd.

> The crash also seems to indicate that the "secrets" bit of "secrets and keytab" is returning a null pointer to the code, so maybe samba isn't finding the secret.
> Do you have a populated /etc/krb5.keytab?

local /etc/krb5.keytab is generated by realm when AD machine account is created on the server.

> Can you try these commands:
> net ads testjoin -k

Join to domain is not valid: NT code 0xfffffff6

I also get this message on 17.10, where smb is not crashing.

> net ads status -k

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: m15015-vm-lin3
distinguishedName: CN=m15015-vm-lin3,OU=Linux-Clients,OU=Client Computer,OU=alle Computer,DC=mpi-dortmund,DC=mpg,DC=de
instanceType: 4
whenCreated: 20180412075138.0Z
whenChanged: 20180413071746.0Z
uSNCreated: 99733897
uSNChanged: 99802204
name: m15015-vm-lin3
objectGUID: cc30fbce-545d-4dfb-b28c-e973059857a0
userAccountControl: 69632
codePage: 0
countryCode: 0
lastLogon: 131680786856152060
localPolicyFlags: 0
pwdLastSet: 131679930989191696
primaryGroupID: 515
objectSid: S-1-5-21-3772173984-4185860275-536710523-2741741
accountExpires: 9223372036854775807
logonCount: 148
sAMAccountName: m15015-vm-lin3$
sAMAccountType: 805306369
operatingSystem: Ubuntu
operatingSystemVersion: 18.04
dNSHostName: m15015-vm-lin3
userPrincipalName: <email address hidden>
servicePrincipalName: host/m15015-vm-lin3
servicePrincipalName: host/m15015-vm-lin3.client.mpi-dortmund.mpg.de
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=mpi-dortmund,DC=mpg,DC=de
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131679931011068668
msDS-SupportedEncryptionTypes: 31

that's right

> I have a feeling samba is missing it's account with the AD server.

The machine account on the AD server does exist.

> I don't know if the sssd join works for samba's "security = ADS", I have never tested that.

Up to 17.10 it is working using realm to join the client to the AD and smb is working too.

> I always used net ads join. Is this how you configured the non-18.04 samba member servers? With just sssd, no "net ads join"?

Yes, all our clients and servers are not joined to AD by "net ads join". These are all joined by realm and use sssd.

local /etc/krb5.keytab is generated by realm when AD machine account is created on the server.

> Can you try these commands:
> net ads testjoin -k

Join to domain is not valid: NT code 0xfffffff6

I also get this message on 17.10, where smb is not crashing.

> net ads status -k

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: m15015-vm-lin3
distinguishedName: CN=m15015-vm-lin3,OU=Linux-Clients,OU=Client Computer,OU=alle Computer,DC=mpi-dortmund,DC=mpg,DC=de
instanceType: 4
whenCreated: 20180412075138.0Z
whenChanged: 20180413071746.0Z
uSNCreated: 99733897
uSNChanged: 99802204
name: m15015-vm-lin3
objectGUID: cc30fbce-545d-4dfb-b28c-e973059857a0
userAccountControl: 69632
codePage: 0
countryCode: 0
lastLogon: 131680786856152060
localPolicyFlags: 0
pwdLastSet: 131679930989191696
primaryGroupID: 515
objectSid: S-1-5-21-3772173984-4185860275-536710523-2741741
accountExpires: 9223372036854775807
logonCount: 148
sAMAccountName: m15015-vm-lin3$
sAMAccountType: 805306369
operatingSystem: Ubuntu
operatingSystemVersion: 18.04
dNSHostName: m15015-vm-lin3
userPrincipalName: host/m15015-vm-lin3@MPI-DORTMUND.MPG.DE
servicePrincipalName: host/m15015-vm-lin3
servicePrincipalName: host/m15015-vm-lin3.client.mpi-dortmund.mpg.de
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=mpi-dortmund,DC=mpg,DC=de
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131679931011068668
msDS-SupportedEncryptionTypes: 31

Ubuntusamba package

Comment 14 for bug 1761737

Ubuntu
samba package