After a lot of experimentation, I got my samba server, with "security = ads" but no winbind and no "net ads join" command, to authenticate an AD user using kerberos.
What nailed it was to use setspn on the windows side to add cifs/<hostname> to the computer account, like this (for a "bionic-sssd" computer account):
setspn -S cifs/bionic-sssd bionic-sssd
After that, this worked:
<email address hidden>@bionic-sssd:~$ smbclient //bionic-sssd/myshare -k
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Apr 18 20:29:20 2018
.. D 0 Wed Apr 18 20:50:25 2018
hello.txt N 13 Wed Apr 18 20:29:20 2018
My smb.conf has:
[global]
workgroup = LOWTECH
realm = LOWTECH.INTERNAL
kerberos method = system keytab
server role = member server
security = ads
...
Ah, and I didn't have to use the updated packages from my ppa, because I set "kerberos method = system keytab", so it wasn't trying "secrets" which is where the crash happens.
At some point I also installed libwbclient-sssd, during the experimentation. I can't say if it was essential now.
After a lot of experimentation, I got my samba server, with "security = ads" but no winbind and no "net ads join" command, to authenticate an AD user using kerberos.
What nailed it was to use setspn on the windows side to add cifs/<hostname> to the computer account, like this (for a "bionic-sssd" computer account):
setspn -S cifs/bionic-sssd bionic-sssd
After that, this worked: @bionic- sssd:~$ smbclient //bionic- sssd/myshare -k
<email address hidden>
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Apr 18 20:29:20 2018
.. D 0 Wed Apr 18 20:50:25 2018
hello.txt N 13 Wed Apr 18 20:29:20 2018
7950756 blocks of size 1024. 6300604 blocks available @bionic- sssd:~$ klist krb5cc_ 45001119_ 1zpGGU
smb: \> <email address hidden>
Ticket cache: FILE:/tmp/
Default principal: <email address hidden>
Valid starting Expires Service principal
04/18/18 20:51:05 04/19/18 06:51:05 <email address hidden>
renew until 04/19/18 20:51:05
04/18/18 20:51:49 04/19/18 06:51:05 <email address hidden>
<email address hidden> @bionic- sssd:~$ id 45000513( domain <email address hidden>)
uid=45001119(<email address hidden>) gid=45000513(domain <email address hidden>) groups=
<email address hidden> @bionic- sssd:~$ grep testuser /etc/passwd @bionic- sssd:~$
<email address hidden>
My smb.conf has:
[global]
workgroup = LOWTECH
realm = LOWTECH.INTERNAL
kerberos method = system keytab
server role = member server
security = ads
...
Ah, and I didn't have to use the updated packages from my ppa, because I set "kerberos method = system keytab", so it wasn't trying "secrets" which is where the crash happens.
At some point I also installed libwbclient-sssd, during the experimentation. I can't say if it was essential now.