15389 – "net offlinejoin requestodj" does not work with "kerberos method = secrets and keytab"

Bug 15389 - "net offlinejoin requestodj" does not work with "kerberos method = secrets and keytab"

Summary: "net offlinejoin requestodj" does not work with "kerberos method = secrets an...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.18.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-06 08:46 UTC by Guenther Deschner
Modified:	2023-07-04 11:58 UTC (History)
CC List:	0 users

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=2211854

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Guenther Deschner 2023-06-06 08:46:08 UTC

The keytab creation path assumes connection to AD (which is not the case when joining offline). I think we need to move the keytab creation to the provision step, not the the requestodj step.

Comment 1 Andreas Schneider 2023-06-06 11:53:02 UTC

We connect to AD to check if the account has additional SPNs specified during keytab generation, we should just skip that step and generate the default once using the machine account password. Either the SPNs are part of the blob and we check check there to create additional once or we can't ...

Comment 2 Andreas Schneider 2023-06-06 11:54:03 UTC

https://gitlab.com/samba-team/samba/-/merge_requests/1999 has several changes to how we create keytabs ...