> a) Samba as a standalone server, but using kerberos for authentication. The users will exist "locally" via sssd, and samba will be just like any other kerberized service authenticating the users via the kdc. For that it will need an appropriate service key in /etc/krb5.keytab. I think realm (the tool) only extracts host/* keys, not cifs/* keys, and samba might want cifs/* ones.
yes, the krb5.keytab created by realm does not contain cifs/* and contains # klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (des3-cbc-sha1) 2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (des-cbc-md5) 2 m15015-vm-lin3$@MPI-DORTMUND.MPG.DE (des-cbc-crc) 2 host/m15015-vm-l...@mpi-dortmund.mpg.de (aes256-cts-hmac-sha1-96) 2 host/m15015-vm-l...@mpi-dortmund.mpg.de (aes128-cts-hmac-sha1-96) 2 host/m15015-vm-l...@mpi-dortmund.mpg.de (des3-cbc-sha1) 2 host/m15015-vm-l...@mpi-dortmund.mpg.de (arcfour-hmac) 2 host/m15015-vm-l...@mpi-dortmund.mpg.de (des-cbc-md5) 2 host/m15015-vm-l...@mpi-dortmund.mpg.de (des-cbc-crc) 2 RestrictedKrbHost/m15015-vm-l...@mpi-dortmund.mpg.de (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/m15015-vm-l...@mpi-dortmund.mpg.de (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/m15015-vm-l...@mpi-dortmund.mpg.de (des3-cbc-sha1) 2 RestrictedKrbHost/m15015-vm-l...@mpi-dortmund.mpg.de (arcfour-hmac) 2 RestrictedKrbHost/m15015-vm-l...@mpi-dortmund.mpg.de (des-cbc-md5) 2 RestrictedKrbHost/m15015-vm-l...@mpi-dortmund.mpg.de (des-cbc-crc) But in previous samba version there was no cifs/* in keytab and smb didn't crash on access. So is it really necessary? > Note that the realm tool does not change smb.conf as far as I can see, that's > why you still had "security = user" or "server role = stanalone server" in > your smb.conf before. That might be a hint. Hm, I'm sure it did change the smb.conf previously (maybe this changed recently?). That's why I had "security = user" instead of "security = ADS" in my smb.conf. But now I cannot see any changes in smb.conf too after joining to AD with realm. So you mean in a) I should try his, right? security = auto server role = standalone server kerberos method = secrets and keytab smbd crashes here. What is the best way to add the correct cifs/* in /etc/krb5.keytab? > SSSD by default likes "usern...@realm.com", and samba might expect just > "username", or "username@WORKGROUP" Ok, what is the recommended configuration in sssd.conf and smb.conf? > b) So you mean in b) I should try his, right? security = auto kerberos method = secrets and keytab server role = member server afterwards "net ads join" gives me: # net ads join -U ntfieroch Enter ntfieroch's password: Using short domain name -- MPI-DORTMUND Joined 'M15015-VM-LIN3' to dns domain 'mpi-dortmund.mpg.de' DNS Update for m15015-vm-lin3.client.mpi-dortmund.mpg.de failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL That works! But shouldn't run the tool realm for joining to AD without net? > My hypothesis is that there was a change in 4.7.x and that when the secrets > are not found, it crashes. Definitely a bug, but we might be in an > unsupported configuration. I have yet to hear from upstream in their bug. Ok, what is the recommended setting for "security" and "server role" if the client is a domain member and joined by the tool "realm" and not "net"? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1761737 Title: [bionic] samba PANIC, INTERNAL ERROR: Signal 11 To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1761737/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
