Bug 15389 - "net offlinejoin requestodj" does not work with "kerberos method = secrets and keytab"
Summary: "net offlinejoin requestodj" does not work with "kerberos method = secrets an...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.18.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-06-06 08:46 UTC by Guenther Deschner
Modified: 2023-07-04 11:58 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2023-06-06 08:46:08 UTC
The keytab creation path assumes connection to AD (which is not the case when joining offline). I think we need to move the keytab creation to the provision step, not the the requestodj step.
Comment 1 Andreas Schneider 2023-06-06 11:53:02 UTC
We connect to AD to check if the account has additional SPNs specified during keytab generation, we should just skip that step and generate the default once using the machine account password. Either the SPNs are part of the blob and we check check there to create additional once or we can't ...
Comment 2 Andreas Schneider 2023-06-06 11:54:03 UTC
https://gitlab.com/samba-team/samba/-/merge_requests/1999 has several changes to how we create keytabs ...