On Fri, Mar 17, 2017 at 04:07:00AM -0000, [email protected] wrote:
> In tracing through problems with realm join (in a Samba/ctdb cluster), I was
> noticing that realm join implicitly calls 'net ads join' (which should be a
> good thing) but it passes '-s' with a temporary smb.conf to 'net ads join'
> (which is a bad thing since it leaves out clustering=yes and the
> include=registry). What I was noticing was that to get sssd AND Samba to
> work after 'realm join' you had to run 'net ads join' (explicitly) on at
> least one node of the cluster (but that is risky because then sssd doesn't
> know about the keytab update that 'net ads join' just did). If you don't run
> 'net ads join' after 'realm join' - Samba will fail because it doesn't think
> it is joined to a domain (so session setups to it will get a
> 'NO_LOGON_SERVER' error, and 'net ads testjoin' will show it is not joined as
> well) - presumably because the 'net ads join' that realmd does implicitly on
> 'realm join' has the wrong smb.conf passed in to it (with no clustering).
> Comparing traces of the two joins -
> the main difference I see is that there are no ctdb related events logged in
> the 'realm join' implicitly called 'net ads join' (and secrets.tdb is missing
> the entry for the domain on all nodes).
>
> Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather
> than the temporary one it chooses during 'net ads join' or 2) how to safely
> do a 'net ads join' after 'realm join' (and not confuse sssd)?
1) You can overwrite the path to the net utility in
/usr/lib/realmd/realmd-defaults.conf by setting in the [paths] section
e.g.
net = /usr/bin/net-ctdb-join
where /usr/bin/net-ctdb-join should be a script which calls the plain
net utility with all the given parameters and adds a '-s
/etc/samab/smb.conf' option at the end. Iirc the net utility will use
the last '-s' option.
2) As long as the smb.conf has 'kerberos method' set in a way so that
'net ads join' will update the system keytab as well a restart of SSSD
should be sufficient to pick up the new keys.
HTH
bye,
Sumit
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
