Fix

Author: anodos325

src/middlewared/middlewared/plugins/directoryservices_/activedirectory_join_mixin.py

@@ -18,7 +18,7 @@
     gss_get_current_cred,
     kerberos_ticket,
 )
-from middlewared.utils.directoryservices.krb5_constants import krb5ccache
+from middlewared.utils.directoryservices.krb5_constants import krb5ccache, SAMBA_KEYTAB_DIR
 from middlewared.utils.directoryservices.krb5_error import (
     KRB5Error,
     KRB5ErrCode,
@@ -54,7 +54,7 @@ def _ad_activate(self, perform_kinit=True) -> None:
         # that a call to kerberos.start would fail due to lack of replication.
         if perform_kinit and not self.__ad_has_tkt_principal():
             self.logger.debug('No ticket detected for domain. Starting kerberos service.')
-            self.middleware.call_sync('kerberos.start')
+            self._ad_wait_kerberos_start()
 
     def _ad_wait_wbclient(self) -> None:
         waited = 0
@@ -157,13 +157,17 @@ def _ad_lookup_dc(self, domain: str, retry: bool = True) -> dict:
 
     def _ad_leave(self, job: Job, ds_type: DSType, domain: str):
         """ Delete our computer object from active directory """
+
+        # remove all samba keytabs
+        for file in os.listdir(SAMBA_KEYTAB_DIR):
+            os.unlink(os.path.join(SAMBA_KEYTAB_DIR, file))
+
         username = str(gss_get_current_cred(krb5ccache.SYSTEM.value).name)
 
         netads = subprocess.run([
             SMBCmd.NET.value,
             '--use-kerberos', 'required',
             '--use-krb5-ccache', krb5ccache.SYSTEM.value,
-            '-U', username,
             'ads', 'leave',
         ], check=False, capture_output=True)
 
@@ -185,10 +189,8 @@ def setspn(spn):
 
             netads = subprocess.run(cmd, check=False, capture_output=True)
             if netads.returncode != 0:
-                raise CallError(
-                    'Failed to set spn entry: '
-                    f'{netads.stdout.decode().strip()}'
-                )
+                self.logger.error("%s: failed to set spn entry: %s", spn,
+                                  netads.stdout.decode().strip())
 
         setspn(f'nfs/{netbiosname.upper()}')
         setspn(f'nfs/{netbiosname.upper()}.{domainname.lower()}')
@@ -202,7 +204,6 @@ def _ad_test_join(self, ds_type: DSType, domain: str):
         netads = subprocess.run([
             SMBCmd.NET.value,
             '--use-kerberos', 'required',
-            '--use-krb5-ccache', krb5ccache.SYSTEM.value,
             '--realm', domain,
             '-d', '5',
             'ads', 'testjoin'

src/middlewared/middlewared/plugins/kerberos.py

@@ -35,6 +35,7 @@
 )
 from middlewared.utils.directoryservices.krb5_conf import KRB5Conf
 from middlewared.utils.directoryservices.krb5_error import KRB5Error
+from middlewared.utils.io import write_if_changed
 
 
 class KerberosModel(sa.Model):
@@ -938,19 +939,20 @@ def store_ad_keytab(self):
             return
 
         ad = self.middleware.call_sync('activedirectory.config')
-        keytab_file = base64.b64encode(concatenate_keytab_data(samba_keytabs)).decode()
+        keytab_file = concatenate_keytab_data(samba_keytabs)
+        keytab_file_encoded = base64.b64encode(keytab_file).decode()
 
         entry = self.middleware.call_sync('kerberos.keytab.query', [('name', '=', 'AD_MACHINE_ACCOUNT')])
         if not entry:
             self.middleware.call_sync(
                 'datastore.insert', self._config.datastore,
-                {'name': 'AD_MACHINE_ACCOUNT', 'file': keytab_file},
+                {'name': 'AD_MACHINE_ACCOUNT', 'file': keytab_file_encoded},
                 {'prefix': self._config.datastore_prefix}
             )
         else:
             self.middleware.call_sync(
                 'datastore.update', self._config.datastore, entry[0]['id'],
-                {'name': 'AD_MACHINE_ACCOUNT', 'file': keytab_file},
+                {'name': 'AD_MACHINE_ACCOUNT', 'file': keytab_file_encoded},
                 {'prefix': self._config.datastore_prefix}
             )
 
@@ -959,6 +961,8 @@ def store_ad_keytab(self):
                 'ad_kerberos_principal': f'{ad["netbiosname"]}$@{ad["domainname"]}'
             })
 
+        write_if_changed(KRB_Keytab.SYSTEM.value, keytab_file, perms=0o600)
+
     @periodic(3600)
     @private
     async def check_updated_keytab(self):

src/middlewared/middlewared/plugins/smb_/constants.py

@@ -1,5 +1,6 @@
 import enum
 from middlewared.utils import MIDDLEWARE_RUN_DIR
+from middlewared.utils.directoryservices.krb5_constants import SAMBA_KEYTAB_DIR
 
 
 NETIF_COMPLETE_SENTINEL = f"{MIDDLEWARE_RUN_DIR}/ix-netif-complete"
@@ -75,6 +76,7 @@ class SMBPath(enum.Enum):
     SHARECONF = ('/etc/smb4_share.conf', 0o755, False)
     STATEDIR = ('/var/db/system/samba4', 0o755, True)
     PRIVATEDIR = ('/var/db/system/samba4/private', 0o700, True)
+    KEYTABDIR = (SAMBA_KEYTAB_DIR, 0o700, True)
     LEGACYSTATE = ('/root/samba', 0o755, True)
     LEGACYPRIVATE = ('/root/samba/private', 0o700, True)
     CACHE_DIR = ('/var/run/samba-cache', 0o755, True)

src/middlewared/middlewared/utils/directoryservices/krb5_constants.py

@@ -4,7 +4,7 @@
 
 KRB_TKT_CHECK_INTERVAL = 1800
 PERSISTENT_KEYRING_PREFIX = 'KEYRING:persistent:'
-SAMBA_KEYTAB_DIR = '/etc/samba/keytabs'
+SAMBA_KEYTAB_DIR = '/etc/samba/kerberos'
 
 
 class KRB_Keytab(enum.Enum):