On Fri, 31 Aug 2012, Andrew Bartlett wrote:
On Thu, 2012-08-30 at 09:33 -0400, Steve Thompson wrote:
On Wed, 29 Aug 2012, Steve Thompson wrote:
On Wed, 29 Aug 2012, Steve Thompson wrote:
More information. If I have two DC's, dc1 and dc2, and I point ldap_uri and
krb5_server in sssd.conf directly at dc1, it always works. If I point either
of those parameters at dc2, it always fails.
Well, this was a red herring. Wait long enough (overnight) and it turns
out that dc1 stops working as well (dc2 never works). This stuff is
unusable.
Does this configuration of SSSD work any differently against a windows
domain? (Trial versions of windows server can be downloaded).
I do not have the resources available to try this against a windows
domain, and I don't care very much for Windows in any event, but as I
mentioned before, it works perfectly against a single samba4 DC. It is
only when I add a second DC that problems occur. BTW, a "samba-tool
demote" does not work to reduce to one DC; I've tried it many times (but
of course this is probably a separate issue).
These issues appear to be client-side (using the wrong ticket, or
attempting to do krb5 against a name mapping to more than one server),
but with so little detail it is hard to say with clarity.
I included plenty of detail in my earlier messages on the subject, and
while I can see why it looks client-side, I note that I can successfully
do a GSSAPI bind and a kinit with /etc/krb5.keytab when getent is failing.
I've tried several different configurations with different clients and
servers, and they all work with one DC and they all fail when there is
more than one DC, all with no changes on the client side. A windows PC
that is bound to the samba4 domain does not work either when getent fails,
so I don't think that it is sssd.
I appreciate your input. I like what I've seen of samba4 so far, except
possibly the diddling with DNS, but this has me stumped.
Steve
--
----------------------------------------------------------------------------
Steve Thompson E-mail: smt AT vgersoft DOT com
Voyager Software LLC Web: http://www DOT vgersoft DOT com
39 Smugglers Path VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
"186,282 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
