On 12/08/13 10:04, Markus Gillmeister wrote:
Hi,
while googling around I already suspected that using winbind and samba4 is
not a perfect solution.
I tried to setup sssd on my debian wheezy machine but I'm not able to get a
running setup:
When starting up sssd the following error appear:
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [setup_child] (0x0010):
Could not verify keytab
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [load_backend_module]
(0x0010): Error (2) in module (ldap) initialization (sssm_ldap_id_init)!
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [main] (0x0010): Could
not initialize backend [2]
My /etc/sssd/sssd.conf looks like:
[sssd]
config_file_version = 2
domains = shadow.local
services = nss, pam
debug_level = 7
[nss]
[pam]
[domain/shadow.local]
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
krb5_realm = SHADOW.LOCAL
ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
sssd version on debian wheezy is 1.8.4. Any ideas whats wrong?
Best Regards
Markus
Hi
mmm, 1.8.4. For AD out of the box you need version 1.10.1 but you could
try this.
You haven't specified the DC or any of the gssapi stuff:
remove:
access_provider =
and add :
krb5_realm =
krb5_server =
krb5_kpasswd =
ldap_sasl_authid =
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
krb5_validate = False
for server and kpasswd use names not IP's
for ldap_sasl_authid use the machine key from the keytab it prodv¡ded
when you joined the domain, something like MACHINE$
There are example configs for both rfc2307bis and AD schemas here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
