[Bug 1761737] Re: [bionic] samba PANIC, INTERNAL ERROR: Signal 11

Andreas Hasenack andreas at canonical.com
Wed Apr 18 12:48:14 UTC 2018

(sorry if I'm telling you something you already know: the text below is
also for my own benefit and thought process)

Joining a domain means basically creating a computer account in the AD.
That is what allows the computer to query the domain for information
like usernames, uid numbers, and even authenticate users.

sssd can do that, for its own benefit. It installs a pam module, a nss
module, configures files accordingly, and you get a machine where users
can login to the linux system and be treated almost like local users, as
if they were in /etc/{passwd,shadow}. sssd can largely do that because
of kerberos.

Samba can also join a domain, of course, and it stores the credentials
for that locally somewhere. I believe that's ultimately what the
"kerberos method" setting controls: if it's in the secrets.tdb database,
or in a normal kerberos keytab. I believe when you use "net ads join",
it uses secrets.tdb. You can check the /etc/krb5.keytab to see if it
changed after you ran "net ads join".

Now, the question is how to take advantage of the already running sssd
(for your linux users to login on the box via ssh, login, gdm, etc) for
samba. As we know, for samba to authenticate and recognize a windows
user, that user also needs to appear as a linux user, as if it existed
in /etc/passwd. That's one of the functions of winbind, or nss_ldap, or
even sssd. But samba also needs to contact the kerberos server (AD in
this case) to authenticate the user and obtain a TGT, and for that it
needs to have its own account. An account that sssd created, not "net
ads join" in your case. Samba should be able to use the system keytab
(that's /etc/krb5.keytab), where apparently sssd did all the work for
us, but we are seeing segfaults in our way when messing with that

In the release notes for samba 4.8.0, for example, they state that
having winbind is required for domain membership, because the rpc calls
were delegated to it (https://github.com/samba-
team/samba/blob/v4-8-stable/WHATSNEW.txt#L24). In 4.7.x that doesn't
seem to be the case yet, but maybe they were on that path already.

You have evidence that in previous ubuntu releases it is possible: using
only sssd, and having samba authenticate domain users. I don't know if
by design, or by accident. Or maybe you are using just a subset of all
the possible rpc calls and it works.

I have documentation that says "net ads join" is necessary for this to
work (it's in the smb.conf manpage). It doesn't elaborate if winbind is
needed, though. Above when you said "it works" after trying "net ads
join", did you mean just the join, or that samba started to authenticate
domain users normally?

Bottom line is, I don't know if you can use sssd for samba, or if you
need both sssd and winbind. I would have to experiment with it. The
segfault is a bug, and shouldn't happen even with invalid
configurations, so that has to be fixed. But it might be unrelated to
the big question.

What I suggest:
- try the net ads join way. It's what the samba documentation recommends
- check if "net ads join" creates another entry in the keytab file
- subscribe to https://lists.samba.org/mailman/listinfo/samba and post this question of sssd+samba there, mentioning the bug about the segfault perhaps (https://bugzilla.samba.org/show_bug.cgi?id=13376)

I will try to find some time this week to validate the domain join
scenarios, at least with samba tools (net ads join, winbind, etc).

For this bug here, I think the focus should be in the segfault.

You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to samba in Ubuntu.

  [bionic] samba PANIC, INTERNAL ERROR: Signal 11

To manage notifications about this bug go to:

More information about the Ubuntu-server-bugs mailing list