In tracing through problems with realm join (in a Samba/ctdb cluster), I was noticing that
realm join implicitly calls 'net ads join' (which should be a good thing) but it
passes '-s' with a temporary smb.conf to 'net ads join' (which is a bad
thing since it leaves out clustering=yes and the include=registry). What I was noticing
was that to get sssd AND Samba to work after 'realm join' you had to run 'net
ads join' (explicitly) on at least one node of the cluster (but that is risky because
then sssd doesn't know about the keytab update that 'net ads join' just did).
If you don't run 'net ads join' after 'realm join' - Samba will fail
because it doesn't think it is joined to a domain (so session setups to it will get a
'NO_LOGON_SERVER' error, and 'net ads testjoin' will show it is not joined
as well) - presumably because the 'net ads join' that realmd does implicitly on
'realm join' has the wrong smb.conf passed in to it (with no clustering).
Comparing traces of the two joins -
the main difference I see is that there are no ctdb related events logged in the
'realm join' implicitly called 'net ads join' (and secrets.tdb is missing
the entry for the domain on all nodes).
Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather than
the temporary one it chooses during 'net ads join' or 2) how to safely do a
'net ads join' after 'realm join' (and not confuse sssd)?