Comment 26 for bug 1761737

Andreas Hasenack (ahasenack) wrote :

After a lot of experimentation, I got my samba server, with "security = ads" but no winbind and no "net ads join" command, to authenticate an AD user using kerberos.

What nailed it was to use setspn on the windows side to add cifs/<hostname> to the computer account, like this (for a "bionic-sssd" computer account):

setspn -S cifs/bionic-sssd bionic-sssd

After that, this worked:
<email address hidden>@bionic-sssd:~$ smbclient //bionic-sssd/myshare -k
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> dir
  . D 0 Wed Apr 18 20:29:20 2018
  .. D 0 Wed Apr 18 20:50:25 2018
  hello.txt N 13 Wed Apr 18 20:29:20 2018

  7950756 blocks of size 1024. 6300604 blocks available
smb: \> <email address hidden>@bionic-sssd:~$ klist
Ticket cache: FILE:/tmp/krb5cc_45001119_1zpGGU
Default principal: <email address hidden>

Valid starting Expires Service principal
04/18/18 20:51:05 04/19/18 06:51:05 <email address hidden>
 renew until 04/19/18 20:51:05
04/18/18 20:51:49 04/19/18 06:51:05 <email address hidden>

<email address hidden>@bionic-sssd:~$ id
uid=45001119(<email address hidden>) gid=45000513(domain <email address hidden>) groups=45000513(domain <email address hidden>)

<email address hidden>@bionic-sssd:~$ grep testuser /etc/passwd
<email address hidden>@bionic-sssd:~$

My smb.conf has:
    workgroup = LOWTECH
    kerberos method = system keytab
    server role = member server
    security = ads

Ah, and I didn't have to use the updated packages from my ppa, because I set "kerberos method = system keytab", so it wasn't trying "secrets" which is where the crash happens.

At some point I also installed libwbclient-sssd, during the experimentation. I can't say if it was essential now.