On Fri, Mar 17, 2017 at 04:07:00AM -0000, smfrench(a)gmail.com wrote:
In tracing through problems with realm join (in a Samba/ctdb
cluster), I was noticing that realm join implicitly calls 'net ads join' (which
should be a good thing) but it passes '-s' with a temporary smb.conf to 'net
ads join' (which is a bad thing since it leaves out clustering=yes and the
include=registry). What I was noticing was that to get sssd AND Samba to work after
'realm join' you had to run 'net ads join' (explicitly) on at least one
node of the cluster (but that is risky because then sssd doesn't know about the keytab
update that 'net ads join' just did). If you don't run 'net ads join'
after 'realm join' - Samba will fail because it doesn't think it is joined to
a domain (so session setups to it will get a 'NO_LOGON_SERVER' error, and 'net
ads testjoin' will show it is not joined as well) - presumably because the 'net
ads join' that realmd does implicitly on 'realm join' has the wrong smb.conf
passed in to it (with no clustering). Comparing traces of the two joins -
the main difference I see is that there are no ctdb related events logged in the
'realm join' implicitly called 'net ads join' (and secrets.tdb is missing
the entry for the domain on all nodes).
Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather than
the temporary one it chooses during 'net ads join' or 2) how to safely do a
'net ads join' after 'realm join' (and not confuse sssd)?
1) You can overwrite the path to the net utility in
/usr/lib/realmd/realmd-defaults.conf by setting in the [paths] section
net = /usr/bin/net-ctdb-join
where /usr/bin/net-ctdb-join should be a script which calls the plain
net utility with all the given parameters and adds a '-s
/etc/samab/smb.conf' option at the end. Iirc the net utility will use
the last '-s' option.
2) As long as the smb.conf has 'kerberos method' set in a way so that
'net ads join' will update the system keytab as well a restart of SSSD
should be sufficient to pick up the new keys.
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org