Comment 19 for bug 1761737

Andreas Hasenack (ahasenack) wrote :

(sorry if I'm telling you something you already know: the text below is also for my own benefit and thought process)

Joining a domain means basically creating a computer account in the AD. That is what allows the computer to query the domain for information like usernames, uid numbers, and even authenticate users.

sssd can do that, for its own benefit. It installs a pam module, a nss module, configures files accordingly, and you get a machine where users can login to the linux system and be treated almost like local users, as if they were in /etc/{passwd,shadow}. sssd can largely do that because of kerberos.

Samba can also join a domain, of course, and it stores the credentials for that locally somewhere. I believe that's ultimately what the "kerberos method" setting controls: if it's in the secrets.tdb database, or in a normal kerberos keytab. I believe when you use "net ads join", it uses secrets.tdb. You can check the /etc/krb5.keytab to see if it changed after you ran "net ads join".

Now, the question is how to take advantage of the already running sssd (for your linux users to login on the box via ssh, login, gdm, etc) for samba. As we know, for samba to authenticate and recognize a windows user, that user also needs to appear as a linux user, as if it existed in /etc/passwd. That's one of the functions of winbind, or nss_ldap, or even sssd. But samba also needs to contact the kerberos server (AD in this case) to authenticate the user and obtain a TGT, and for that it needs to have its own account. An account that sssd created, not "net ads join" in your case. Samba should be able to use the system keytab (that's /etc/krb5.keytab), where apparently sssd did all the work for us, but we are seeing segfaults in our way when messing with that parameter.

In the release notes for samba 4.8.0, for example, they state that having winbind is required for domain membership, because the rpc calls were delegated to it (https://github.com/samba-team/samba/blob/v4-8-stable/WHATSNEW.txt#L24). In 4.7.x that doesn't seem to be the case yet, but maybe they were on that path already.

You have evidence that in previous ubuntu releases it is possible: using only sssd, and having samba authenticate domain users. I don't know if by design, or by accident. Or maybe you are using just a subset of all the possible rpc calls and it works.

I have documentation that says "net ads join" is necessary for this to work (it's in the smb.conf manpage). It doesn't elaborate if winbind is needed, though. Above when you said "it works" after trying "net ads join", did you mean just the join, or that samba started to authenticate domain users normally?

Bottom line is, I don't know if you can use sssd for samba, or if you need both sssd and winbind. I would have to experiment with it. The segfault is a bug, and shouldn't happen even with invalid configurations, so that has to be fixed. But it might be unrelated to the big question.

What I suggest:
- try the net ads join way. It's what the samba documentation recommends
- check if "net ads join" creates another entry in the keytab file
- subscribe to https://lists.samba.org/mailman/listinfo/samba and post this question of sssd+samba there, mentioning the bug about the segfault perhaps (https://bugzilla.samba.org/show_bug.cgi?id=13376)

I will try to find some time this week to validate the domain join scenarios, at least with samba tools (net ads join, winbind, etc).

For this bug here, I think the focus should be in the segfault.