> Ok, so to summarize:
> - sssd is providing user and groups from AD (via /etc/nsswitch.conf)
> - realmd was used to join the machine to AD for the above
> - local user authentication is done via pam_sss and using kerberos. Shell users get a ticket upon login
> - samba is not using winbind
that's right
> I have a feeling samba is missing it's account with the AD server.
The machine account on the AD server does exist.
> I don't know if the sssd join works for samba's "security = ADS", I have never tested that.
Up to 17.10 it is working using realm to join the client to the AD and smb is working too.
> I always used net ads join. Is this how you configured the non-18.04 samba member servers? With just sssd, no "net ads join"?
Yes, all our clients and servers are not joined to AD by "net ads join". These are all joined by realm and use sssd.
> The crash also seems to indicate that the "secrets" bit of "secrets and keytab" is returning a null pointer to the code, so maybe samba isn't finding the secret.
> Do you have a populated /etc/krb5.keytab?
local /etc/krb5.keytab is generated by realm when AD machine account is created on the server.
> Can you try these commands:
> net ads testjoin -k
Join to domain is not valid: NT code 0xfffffff6
I also get this message on 17.10, where smb is not crashing.
> Ok, so to summarize:
> - sssd is providing user and groups from AD (via /etc/nsswitch.conf)
> - realmd was used to join the machine to AD for the above
> - local user authentication is done via pam_sss and using kerberos. Shell users get a ticket upon login
> - samba is not using winbind
that's right
> I have a feeling samba is missing it's account with the AD server.
The machine account on the AD server does exist.
> I don't know if the sssd join works for samba's "security = ADS", I have never tested that.
Up to 17.10 it is working using realm to join the client to the AD and smb is working too.
> I always used net ads join. Is this how you configured the non-18.04 samba member servers? With just sssd, no "net ads join"?
Yes, all our clients and servers are not joined to AD by "net ads join". These are all joined by realm and use sssd.
> The crash also seems to indicate that the "secrets" bit of "secrets and keytab" is returning a null pointer to the code, so maybe samba isn't finding the secret.
> Do you have a populated /etc/krb5.keytab?
local /etc/krb5.keytab is generated by realm when AD machine account is created on the server.
> Can you try these commands:
> net ads testjoin -k
Join to domain is not valid: NT code 0xfffffff6
I also get this message on 17.10, where smb is not crashing.
> net ads status -k
objectClass: top erson vm-lin3, OU=Linux- Clients, OU=Client Computer,OU=alle Computer, DC=mpi- dortmund, DC=mpg, DC=de 545d-4dfb- b28c-e973059857 a0 3772173984- 4185860275- 536710523- 2741741 Version: 18.04 lName: host/m15015-vm-lin3 lName: host/m15015- vm-lin3. client. mpi-dortmund. mpg.de CN=Schema, CN=Configuratio n,DC=mpi- dortmund, DC=mpg, DC=de mObject: FALSE onData: 16010101000000.0Z ncryptionTypes: 31
objectClass: person
objectClass: organizationalP
objectClass: user
objectClass: computer
cn: m15015-vm-lin3
distinguishedName: CN=m15015-
instanceType: 4
whenCreated: 20180412075138.0Z
whenChanged: 20180413071746.0Z
uSNCreated: 99733897
uSNChanged: 99802204
name: m15015-vm-lin3
objectGUID: cc30fbce-
userAccountControl: 69632
codePage: 0
countryCode: 0
lastLogon: 131680786856152060
localPolicyFlags: 0
pwdLastSet: 131679930989191696
primaryGroupID: 515
objectSid: S-1-5-21-
accountExpires: 9223372036854775807
logonCount: 148
sAMAccountName: m15015-vm-lin3$
sAMAccountType: 805306369
operatingSystem: Ubuntu
operatingSystem
dNSHostName: m15015-vm-lin3
userPrincipalName: <email address hidden>
servicePrincipa
servicePrincipa
objectCategory: CN=Computer,
isCriticalSyste
dSCorePropagati
lastLogonTimestamp: 131679931011068668
msDS-SupportedE