On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am typing this on and it works,
you just need the krb5.keytab that I told you how to create earlier.
That was
/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator
yes?
Correct, though I do not understand why you are using the full path to
samba-tool
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
trying to select the most appropriate principal from keytab
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching template.wetron...@wetron.es found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching TEMPLATE$@WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching host/template.wetron...@wetron.es found in keytab.
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
Selected principal: dept-66f575a885$@WETRON.ES
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [dept-66f575a885$@WETRON.ES]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [default]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
successfully
[sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
finished
[sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
[sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: GSSAPI, user: (null)
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in
Kerberos database)]
Where did you get samba4 from, did you compile it yourself? what
version? what OS are you using, if you did compile it yourself, what
packages did you install before compiling.
Note that I get the last error even if I add
ldap_sasl_authid = Administrator
in sssd.conf
The sssd.conf I supplied is a known working one, all I changed is the
domain name and server address from mine.
(Of course in that case I don't get the "No principal matching..."
messages but the outcome is the same).
I suppose there is some additional step to perform (apart from
extracting the keytab).
Bye
You could try stopping sssd and then remove the sssd databases: rm -f
/var/lib/sss/db/* (this is on Ubuntu)
All I do is:
Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator
Install sssd sssd-tools via package manager
alter /etc/sssd/sssd.conf as per the one I supplied
remove the sssd databases
start sssd
It should now work, provided that the uidNumber, gidNumber, etc are in
each users DN, you do not need the posix objectClasses.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
