Al 30/08/13 18:15, En/na steve ha escrit: > On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: >> On 30/08/13 15:48, Luca Olivetti wrote: >>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit: >>> >>>> OK, try this sssd.conf that I have altered for your setup, it is based >>>> on the sssd.conf on the machine that I am typing this on and it works, >>>> you just need the krb5.keytab that I told you how to create earlier. >>> That was >>> >>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U >>> Administrator >>> >> > > Hi > This command dumps the _whole_ of the database to the keytab, so you > must choose which key you are going to use for: > ldap_sasl_authid
Oops, I was just following instructions :-/ I promise that, when everything is working, I'll read all the relevant manpages (I usually do it _before_ blindly typing what's been suggested, but...) ;-) > > If you really do need al the keys there then could you send us a > santised dump of the keytab so we can decide a good key to use? And more > importantly one which is definitely present? > > klist -k /etc/krb5.keytab > > It is generally recommended to only dump the keys you need. Which it does with the --principal option, yes? (but, as I just learned, each command *adds* to the keytab, so I have to delete the file first). BTW, if I use --principal=nslcd-connect it is listed 3 times: # klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nslcd-conn...@wetron.es 1 nslcd-conn...@wetron.es 1 nslcd-conn...@wetron.es > > Have you dumped the Administrator key to the keytab? If it isn't in the > keytab it's not going to find a match either. Why not simply choose > something which you _do_ have? > > ldap_sasl_mech = gssapi > ldap_sasl_authid = something.you.do.have.in.the.keytab > ldap_krb5_keytab = /etc/krb5.keytab Again, I was following suggestions, anyway, both with -U and with --principal=nslcd-connect I was using an ldap_sasl_authid that was in the keytab (as per keytab -k), but the error is the same: [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: nslcd-connect [sssd[nss]] [client_recv] (0x0200): Client disconnected! [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] > HTH to get us closer. I cannot thank you enough, but I feel I'm not getting any closer :-( Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba