> a) Samba as a standalone server, but using kerberos for authentication. The users will exist "locally" via sssd, and samba will be just like any other kerberized service authenticating the users via the kdc. For that it will need an appropriate service key in /etc/krb5.keytab. I think realm (the tool) only extracts host/* keys, not cifs/* keys, and samba might want cifs/* ones.

yes, the krb5.keytab created by realm does not contain cifs/* and contains

# klist -e -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (des3-cbc-sha1) 
   2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (des-cbc-md5) 
   2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (des-cbc-crc) 
   2 <email address hidden> (aes256-cts-hmac-sha1-96) 
   2 <email address hidden> (aes128-cts-hmac-sha1-96) 
   2 <email address hidden> (des3-cbc-sha1) 
   2 <email address hidden> (arcfour-hmac) 
   2 <email address hidden> (des-cbc-md5) 
   2 <email address hidden> (des-cbc-crc) 
   2 <email address hidden> (aes256-cts-hmac-sha1-96) 
   2 <email address hidden> (aes128-cts-hmac-sha1-96) 
   2 <email address hidden> (des3-cbc-sha1) 
   2 <email address hidden> (arcfour-hmac) 
   2 <email address hidden> (des-cbc-md5) 
   2 <email address hidden> (des-cbc-crc) 

But in previous samba version there was no cifs/* in keytab and smb didn't crash on access. So is it really necessary?


> Note that the realm tool does not change smb.conf as far as I can see, that's why you still had "security = user" or "server role = stanalone server" in your smb.conf before. That might be a hint.

Hm, I'm sure it did change the smb.conf previously (maybe this changed recently?). That's why I had "security = user" instead of "security = ADS" in my smb.conf. But now I cannot see any changes in smb.conf too after joining to AD with realm.

So you mean in a) I should try his, right?  
  security = auto
  server role = standalone server
  kerberos method = secrets and keytab

smbd crashes here.
What is the best way to add the correct cifs/* in /etc/krb5.keytab?


> SSSD by default likes "<email address hidden>", and samba might expect just "username", or "username@WORKGROUP"

Ok, what is the recommended configuration in sssd.conf and smb.conf?


> b)

So you mean in b) I should try his, right?
  security = auto
  kerberos method = secrets and keytab
  server role = member server
afterwards "net ads join" gives me:

# net ads join -U ntfieroch
Enter ntfieroch's password:
Using short domain name -- MPI-DORTMUND
Joined 'M15015-VM-LIN3' to dns domain 'mpi-dortmund.mpg.de'
DNS Update for m15015-vm-lin3.client.mpi-dortmund.mpg.de failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

That works! But shouldn't run the tool realm for joining to AD without net?


> My hypothesis is that there was a change in 4.7.x and that when the secrets are not found, it crashes. Definitely a bug, but we might be in an unsupported configuration. I have yet to hear from upstream in their bug.

Ok, what is the recommended setting for "security" and "server role" if the client is a domain member and joined by the tool "realm" and not "net"?