Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 20:17 +0200, Luca Olivetti wrote: > Al 31/08/13 18:00, En/na steve ha escrit: > > >> Hi > >> It doesn't work here either. The only way we can get it to authenicate > >> or join the domain is to add: > >> I.P.ADD.RRESS f.q.d.n short-hostname > >> of the DC to /etc/hosts > >> > >> Steve > >> > >> > >> > >> > > Oh, and: > > 127.0.0.1 localhost f.q.d.n > > 127.0.0.1 short-hostname > > That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was > already there, one of those previous failed attempts): > > [root@cliente luca]# net ads join -U Administrator > Enter Administrator's password: > Using short domain name -- WETRON > Joined 'CLIENTE' to dns domain 'wetron.es' > No DNS domain configured for cliente. Unable to perform DNS Update. > DNS update failed! > > Why is it necessary? I think you may have had /etc/hostname with the fqdn, whereas it _should_ only have the hostname. IOW: You have to have hostname -s return _just_ the hostname _without_ the domain. And: hostname -f return the fqdn I understand that you now have the domain join and sssd auth from the keytab without either the DNS update nor the something not found errors? Dare I mention that it is really nice with sssd v1.10 and above as it gives us dynamic dns updates on the fly for Linux clients, just like windows. Pero no digas nada a nadie lol. Salu2, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 31/08/13 18:00, En/na steve ha escrit: >> Hi >> It doesn't work here either. The only way we can get it to authenicate >> or join the domain is to add: >> I.P.ADD.RRESS f.q.d.n short-hostname >> of the DC to /etc/hosts >> >> Steve >> >> >> >> > Oh, and: > 127.0.0.1 localhost f.q.d.n > 127.0.0.1 short-hostname That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was already there, one of those previous failed attempts): [root@cliente luca]# net ads join -U Administrator Enter Administrator's password: Using short domain name -- WETRON Joined 'CLIENTE' to dns domain 'wetron.es' No DNS domain configured for cliente. Unable to perform DNS Update. DNS update failed! Why is it necessary? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 17:53 +0200, steve wrote: > On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote: > > Al 31/08/13 15:23, En/na steve ha escrit: > > > > > I feel we've made progress. Next time a winbind problem gets posted, > > > we'll be able to refer to 3 democratically produced howtos. Thanks to > > > Marc for listening to us and inviting us in on hos howtos, Luca his > > > patience in hearing us out 'till EOT and to Rowland for keeping me sane. > > > OpenSource at it's best. > > > > An update on sssd+gssapi: I setup a client VM where I copied the keytab > > and the sssd.conf of the server. > > I got the same 'Server not found in Kerberos database' error. > > I tried many things (adding the client address in samba 4 dns, install > > samba 3 on the client and trying to join the domain, which, btw, I > > didn't manage to do, trying to follow the instructions here > > https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, > > again, unsuccessfully, etc.). > > What seems to have solved the problem has been setting the hostname to a > > simple name without domain, e.g. changing it from "cliente.wetron.es" to > > "cliente". > > I really have to study this kerberos thingie ;-) > > Hi > It doesn't work here either. The only way we can get it to authenicate > or join the domain is to add: > I.P.ADD.RRESS f.q.d.n short-hostname > of the DC to /etc/hosts > > Steve > > > > Oh, and: 127.0.0.1 localhost f.q.d.n 127.0.0.1 short-hostname -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote: > Al 31/08/13 15:23, En/na steve ha escrit: > > > I feel we've made progress. Next time a winbind problem gets posted, > > we'll be able to refer to 3 democratically produced howtos. Thanks to > > Marc for listening to us and inviting us in on hos howtos, Luca his > > patience in hearing us out 'till EOT and to Rowland for keeping me sane. > > OpenSource at it's best. > > An update on sssd+gssapi: I setup a client VM where I copied the keytab > and the sssd.conf of the server. > I got the same 'Server not found in Kerberos database' error. > I tried many things (adding the client address in samba 4 dns, install > samba 3 on the client and trying to join the domain, which, btw, I > didn't manage to do, trying to follow the instructions here > https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, > again, unsuccessfully, etc.). > What seems to have solved the problem has been setting the hostname to a > simple name without domain, e.g. changing it from "cliente.wetron.es" to > "cliente". > I really have to study this kerberos thingie ;-) Hi It doesn't work here either. The only way we can get it to authenicate or join the domain is to add: I.P.ADD.RRESS f.q.d.n short-hostname of the DC to /etc/hosts Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 31/08/13 15:23, En/na steve ha escrit: > On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote: >> >> Am 31.08.2013 00:14, schrieb Luca Olivetti: >>> I'm not still 100% convinced that I need to migrate from samba 3 to >>> samba 4, and once I am I have to explain it to my boss. >> >> >> Samba 4 != AD only > > Hi > I think the OP realises that. His main concern and problem was the usual > confusion with winbind and the mystery surrounding rfc2307 and it's > representation in and out of of AD. Actually, my main concern is ensuring a smooth migration with limited downtime. I think I have the windows machine covered (that's what the classicupgrade does), but I have several other services authenticating against ldap and getting users and groups information from it. They all should work equally well against an AD style LDAP and "standard" LDAP, but, as always, the devil is in the details. Yes, I could probably run it as an NT style domain, and I don't exclude the possibility, but while I'm at it I'd really like to simplify things instead of having to manage separate samba+ldap+dns servers. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 31/08/13 15:23, En/na steve ha escrit: > I feel we've made progress. Next time a winbind problem gets posted, > we'll be able to refer to 3 democratically produced howtos. Thanks to > Marc for listening to us and inviting us in on hos howtos, Luca his > patience in hearing us out 'till EOT and to Rowland for keeping me sane. > OpenSource at it's best. An update on sssd+gssapi: I setup a client VM where I copied the keytab and the sssd.conf of the server. I got the same 'Server not found in Kerberos database' error. I tried many things (adding the client address in samba 4 dns, install samba 3 on the client and trying to join the domain, which, btw, I didn't manage to do, trying to follow the instructions here https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server, again, unsuccessfully, etc.). What seems to have solved the problem has been setting the hostname to a simple name without domain, e.g. changing it from "cliente.wetron.es" to "cliente". I really have to study this kerberos thingie ;-) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote: > > Am 31.08.2013 00:14, schrieb Luca Olivetti: > > I'm not still 100% convinced that I need to migrate from samba 3 to > > samba 4, and once I am I have to explain it to my boss. > > > Samba 4 != AD only Hi I think the OP realises that. His main concern and problem was the usual confusion with winbind and the mystery surrounding rfc2307 and it's representation in and out of of AD. In this thread, we've thrashed the merits of winbind, nslcd and sssd to hell and soon thanks to your good self, we'll have readable howtos on all three. Let's see if that serves to relieve the never ending series of posts highlighting the lack of reliable, up to date and dare I say it plain English and readable explanations of at least how to get started. I feel we've made progress. Next time a winbind problem gets posted, we'll be able to refer to 3 democratically produced howtos. Thanks to Marc for listening to us and inviting us in on hos howtos, Luca his patience in hearing us out 'till EOT and to Rowland for keeping me sane. OpenSource at it's best. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Sat, 2013-08-31 at 00:14 +0200, Luca Olivetti wrote: > Al 30/08/13 23:44, En/na steve ha escrit: > > > Interesting point; you've now sampled winbind, nslcd and sssd to the > > same end. Have you made a decision as to which you'll be going with? > > Well, the real deployment will take some time (measured in months rather > than weeks), I have a lot more to learn and I'm busy with other things. > I'm not still 100% convinced that I need to migrate from samba 3 to > samba 4, and once I am I have to explain it to my boss. > Anyway I think I'll go with sssd, my unscientific tests (time getent, > time id) tell me it's an order of magnitude faster than nslcd (both for > uncached and cached data). > winbindI don't like it, for no particular reason. It also seems to > be the slowest of the pack. One site we run has 600 users all with rfc2307. The only way we can getent the whole list is with sssd. I know it's a false test as I don't suppose you'd ever need to do it, but with enumeration, winbind grinds to around one user per minute after it's done around 200. Of course, those blessed with modern hardware need only toss a 3 way coin. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 31.08.2013 00:14, schrieb Luca Olivetti: I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Samba 4 != AD only Samba 4 is the the next version after the 3.6 tree and contains everything + AD DC functionality. You can run Samba version 4 still as an NT4 domain if you or your boss doesn't want to migrate to AD. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 23:14, Luca Olivetti wrote: Al 30/08/13 23:44, En/na steve ha escrit: Interesting point; you've now sampled winbind, nslcd and sssd to the same end. Have you made a decision as to which you'll be going with? Well, the real deployment will take some time (measured in months rather than weeks), I have a lot more to learn and I'm busy with other things. I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Anyway I think I'll go with sssd, my unscientific tests (time getent, time id) tell me it's an order of magnitude faster than nslcd (both for uncached and cached data). winbindI don't like it, for no particular reason. It also seems to be the slowest of the pack. Hi, perhaps I can tell you something that will help you make your mind up. Sometime in September, Samba 4.1 will be released, when it is, 4.0 will move to maintenance mode, 3.6 will only get security fixes and 3.5 will be discontinued. So, do you really want to be basing a new installation on a version that is either discontinued or only getting security fixes? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 18:42 +0200, Luca Olivetti wrote: > Al 30/08/13 18:15, En/na steve ha escrit: > > On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: > >> On 30/08/13 15:48, Luca Olivetti wrote: > >>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit: > >>> > OK, try this sssd.conf that I have altered for your setup, it is based > on the sssd.conf on the machine that I am typing this on and it works, > you just need the krb5.keytab that I told you how to create earlier. > >>> That was > >>> > >>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U > >>> Administrator > >>> > >> > > > > Hi > > This command dumps the _whole_ of the database to the keytab, so you > > must choose which key you are going to use for: > > ldap_sasl_authid > > Oops, I was just following instructions :-/ > I promise that, when everything is working, I'll read all the relevant > manpages (I usually do it _before_ blindly typing what's been suggested, > but...) > ;-) > > > > > If you really do need al the keys there then could you send us a > > santised dump of the keytab so we can decide a good key to use? And more > > importantly one which is definitely present? > > > > klist -k /etc/krb5.keytab > > > > It is generally recommended to only dump the keys you need. > > Which it does with the --principal option, yes? > (but, as I just learned, each command *adds* to the keytab, so I have to > delete the file first). > BTW, if I use --principal=nslcd-connect it is listed 3 times: > > # klist -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > > -- >1 nslcd-conn...@wetron.es >1 nslcd-conn...@wetron.es >1 nslcd-conn...@wetron.es > Fine. We can now say that nscld is both in the keytab and in the databas on the DC (otherwise it wouldn't have dumped the key there) You have 3 entries corresponding to different encryption types. Use: klist -ke to see which they are. You don't need to know though. > > > > Have you dumped the Administrator key to the keytab? If it isn't in the > > keytab it's not going to find a match either. Why not simply choose > > something which you _do_ have? > > > > ldap_sasl_mech = gssapi > > ldap_sasl_authid = something.you.do.have.in.the.keytab > > ldap_krb5_keytab = /etc/krb5.keytab > > Again, I was following suggestions, anyway, both with -U and with > --principal=nslcd-connect I was using an ldap_sasl_authid that was in > the keytab (as per keytab -k), but the error is the same: > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind > mech: GSSAPI, user: nslcd-connect > [sssd[nss]] [client_recv] (0x0200): Client disconnected! > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed > (-2)[Local error] > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure > message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Server not found in > Kerberos database)] > > > > HTH to get us closer. > > I cannot thank you enough, but I feel I'm not getting any closer :-( Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. What do you have for /etc/krb5.conf What does: sssd --version give? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 17:26, Luca Olivetti wrote: Al 30/08/13 17:05, En/na Rowland Penny ha escrit: Correct, though I do not understand why you are using the full path to samba-tool Because it's not in PATH Then you need to alter your PATH environmental variable, I do this on Ubuntu: echo "PATH=/usr/local/samba/bin:/usr/local/samba/sbin:\$PATH" > /etc/profile.d/samba4.sh export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH Where did you get samba4 from, did you compile it yourself? Yes what version? 4.0.8 (4.0.9 wasn't yet available when I started the experiment) what OS are you using, if you did compile it yourself, what packages did you install before compiling. I'm using linux, mageia 3, I installed every -devel package providing the .h files I saw in ./configure output (minus libldb since the packaged one is not compatible with samba 4 and would produce a non working samba) Then the package names needed to compile samba are probably the same as RHEL: gcc libacl-devel libblkid-devel gnutls-devel \ readline-devel python-devel gdb pkgconfig krb5-workstation \ zlib-devel setroubleshoot-server libaio-devel \ setroubleshoot-plugins policycoreutils-python \ libsemanage-python setools-libs-python setools-libs \ popt-devel libpcap-devel sqlite-devel libidn-devel \ libxml2-devel libacl-devel libsepol-devel libattr-devel \ keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils The above was taken from: https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS Check that you have all the above installed and if not, install what ever is missing and recompile samba 4 Also, it may help if you try another OS, no disrespect, but Mageia is not really what I would call a server distro and is probably not used by many people to run samba 4 on, so you will struggle to get precise help here (ducks as thousands of people reply saying I use Mageia ;-) ) Rowland You could try stopping sssd and then remove the sssd databases: rm -f /var/lib/sss/db/* (this is on Ubuntu) Already done All I do is: Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator Done Install sssd sssd-tools via package manager Done (well, I actually I didn't install sssd-tools, but I did now and it changed nothing). alter /etc/sssd/sssd.conf as per the one I supplied remove the sssd databases start sssd Done Maybe one of the post-install script in one of the ubuntu packages performs automatically one of the missing steps? Bye -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, Aug 30, 2013 at 08:14:56PM +0200, steve wrote: > > Hi, How about this for an idea, get the OP to create a VM on Mageia, > > install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the > > VM. Then setup winbind or nslcd or sssd on it, once this is working the > > OP can work out to get the setup to run on Mageia himself. > > > > RFowlanf > > Yep. +1 for the Ubuntu vm. We go for a git master because you can add > rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a > single user. getent passwd user returns his rfc2307 from the directory. > Any takers? This is what my test setup is running now, however, it's using the Sernet packages, not source. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: > On 30/08/13 15:48, Luca Olivetti wrote: > > Al 30/08/13 11:41, En/na Rowland Penny ha escrit: > > > >> OK, try this sssd.conf that I have altered for your setup, it is based > >> on the sssd.conf on the machine that I am typing this on and it works, > >> you just need the krb5.keytab that I told you how to create earlier. > > That was > > > > /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U > > Administrator > > > Hi This command dumps the _whole_ of the database to the keytab, so you must choose which key you are going to use for: ldap_sasl_authid If you really do need al the keys there then could you send us a santised dump of the keytab so we can decide a good key to use? And more importantly one which is definitely present? klist -k /etc/krb5.keytab It is generally recommended to only dump the keys you need. > > [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): > > trying to select the most appropriate principal from keytab > > [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No > > principal matching template.wetron...@wetron.es found in keytab. > > [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No > > principal matching TEMPLATE$@WETRON.ES found in keytab. > > [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No > > principal matching host/template.wetron...@wetron.es found in keytab. > > [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): > > Selected principal: dept-66f575a885$@WETRON.ES > > [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Principal > > name is: [dept-66f575a885$@WETRON.ES] > > [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Using > > keytab [default] > > [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Will > > canonicalize principals > > [[sssd[ldap_child[8011 [prepare_response] (0x0400): Building > > response for result [0] > > [[sssd[ldap_child[8011 [main] (0x0400): ldap_child completed > > successfully > > [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client > > finished > > [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 > > [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906] > > [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind > > mech: GSSAPI, user: (null) > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed > > (-2)[Local error] > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure > > message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > > failure. Minor code may provide more information (Server not found in > > Kerberos database)] > > > Where did you get samba4 from, did you compile it yourself? what > version? what OS are you using, if you did compile it yourself, what > packages did you install before compiling. > > > Note that I get the last error even if I add > > > > ldap_sasl_authid = Administrator > > Have you dumped the Administrator key to the keytab? If it isn't in the keytab it's not going to find a match either. Why not simply choose something which you _do_ have? ldap_sasl_mech = gssapi ldap_sasl_authid = something.you.do.have.in.the.keytab ldap_krb5_keytab = /etc/krb5.keytab HTH to get us closer. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 21:53, En/na Luca Olivetti ha escrit: > Al 30/08/13 21:49, En/na steve ha escrit: >> On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote: >>> >>> Casi, casi... >> >> Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de >> AD. >> Saludos, > > Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25 > > (for the non Spanish speaking audience: it seems that cyrus-sasl-2.1.25 > has a problem in gssapi.c causing a segfault) > > http://www.spinics.net/lists/cyrus-sasl/msg02004.html > > I'll try to build a version with the fix Did it an it worked. Lessons learned: - make sure that the hostname is the same as the netbios name (or is there a parameter to make it work when they are different?) - don't listen to people suggesting to switch distributions (I know how to debug/build things with mageia, I wouldn't know where to start with another one) - try to learn how kerberos is supposed to work before trying to use it Bye and thank you for your patience -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 21:53 +0200, Luca Olivetti wrote: > > http://www.spinics.net/lists/cyrus-sasl/msg02004.html > > I'll try to build a version with the fix > Suerte. Good luck. ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 18:54, En/na steve ha escrit: > Bueno, a ver: > We can say for certain that /etc/krb5.keytab contains the key for > nslcd-connect > make sure you have: > > ldap_sasl_mech = gssapi > ldap_sasl_authid = nslcd-conn...@wetron.es > ldap_krb5_keytab = /etc/krb5.keytab > > (note, I think you had a different keytab in an older post. Lose it.) Done > > Next, can you resolve the kerberos SRV record: > host -t SRV _kerberos._udp.dc1.wetron.es. It doesn't resolve, but _kerberos._udp.wetron.es. does _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. > > What do you have for /etc/krb5.conf [libdefaults] default_realm = WETRON.ES dns_lookup_realm = true dns_lookup_kdc = true [realms] WETRON.ES = { kdc = 192.168.4.101 admin_server = 192.168.4.101 } > > What does: > sssd --version > give? 1.9.4 In case it matters, sasl is 2.1.25, and I have the relevant plugins installed: # rpm -qa *sasl* lib64sasl2-plug-sasldb-2.1.25-12.mga3 lib64sasl2-2.1.25-12.mga3 cyrus-sasl-2.1.25-12.mga3 lib64sasl2-plug-login-2.1.25-12.mga3 lib64sasl2-plug-plain-2.1.25-12.mga3 lib64sasl2-plug-ldapdb-2.1.25-12.mga3 lib64sasl2-plug-gssapi-2.1.25-12.mga3 lib64sasl2-devel-2.1.25-12.mga3 Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 19:21 +0200, Luca Olivetti wrote: > Al 30/08/13 18:54, En/na steve ha escrit: > > > Bueno, a ver: > > We can say for certain that /etc/krb5.keytab contains the key for > > nslcd-connect > > make sure you have: > > > > ldap_sasl_mech = gssapi > > ldap_sasl_authid = nslcd-conn...@wetron.es > > ldap_krb5_keytab = /etc/krb5.keytab > > > > (note, I think you had a different keytab in an older post. Lose it.) > > Done > > > > > Next, can you resolve the kerberos SRV record: > > host -t SRV _kerberos._udp.dc1.wetron.es. > > It doesn't resolve, but _kerberos._udp.wetron.es. does > > _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. > > That's good. Sorry, I didn't know your domain or hostnames > > > > What do you have for /etc/krb5.conf > > [libdefaults] > default_realm = WETRON.ES > dns_lookup_realm = true > dns_lookup_kdc = true Remove the [realms] section and change: dns_lookup_realm = false (I'm assuming that this is a single DC) I also have: cyrus-sasl-32bit Now go through everything in the thread, clear everything in /var/lib/sss/db/* and restart sssd. Make sure that nscd is not running. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 19:43, En/na steve ha escrit: > Now go through everything in the thread, clear everything > in /var/lib/sss/db/* and restart sssd. Make sure that nscd is not > running. Casi, casi... OK, I found the problem of the "server not found in kerberos database" (well, actually it was google that found it): http://technet.microsoft.com/en-us/library/bb463167.aspx It turns out that the hostname didn't match the netbios name. I changed the hostname to match and automagically that error disappeared. I have a more serious problem now, hinting that maybe I need to recompile sasl, i.e. I have a segfault (actually many) in it: sssd_be[1795]: segfault at 0 ip 7f326fd66f7d sp 7fff2bd7afd0 error 6 in libgssapiv2.so[7f326fd64000+7000] I'll keep trying Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 18:21, Luca Olivetti wrote: Al 30/08/13 18:54, En/na steve ha escrit: Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Done Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. It doesn't resolve, but _kerberos._udp.wetron.es. does _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. What do you have for /etc/krb5.conf [libdefaults] default_realm = WETRON.ES dns_lookup_realm = true dns_lookup_kdc = true [realms] WETRON.ES = { kdc = 192.168.4.101 admin_server = 192.168.4.101 } What does: sssd --version give? 1.9.4 In case it matters, sasl is 2.1.25, and I have the relevant plugins installed: # rpm -qa *sasl* lib64sasl2-plug-sasldb-2.1.25-12.mga3 lib64sasl2-2.1.25-12.mga3 cyrus-sasl-2.1.25-12.mga3 lib64sasl2-plug-login-2.1.25-12.mga3 lib64sasl2-plug-plain-2.1.25-12.mga3 lib64sasl2-plug-ldapdb-2.1.25-12.mga3 lib64sasl2-plug-gssapi-2.1.25-12.mga3 lib64sasl2-devel-2.1.25-12.mga3 Bye Hi, How about this for an idea, get the OP to create a VM on Mageia, install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the VM. Then setup winbind or nslcd or sssd on it, once this is working the OP can work out to get the setup to run on Mageia himself. RFowlanf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 11:41, En/na Rowland Penny ha escrit: > OK, try this sssd.conf that I have altered for your setup, it is based > on the sssd.conf on the machine that I am typing this on and it works, > you just need the krb5.keytab that I told you how to create earlier. That was /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator yes? [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching TEMPLATE$@WETRON.ES found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching host/template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): Selected principal: dept-66f575a885$@WETRON.ES [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [dept-66f575a885$@WETRON.ES] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[8011 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[8011 [main] (0x0400): ldap_child completed successfully [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906] [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] Note that I get the last error even if I add ldap_sasl_authid = Administrator in sssd.conf (Of course in that case I don't get the "No principal matching..." messages but the outcome is the same). I suppose there is some additional step to perform (apart from extracting the keytab). Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 15:48, Luca Olivetti wrote: Al 30/08/13 11:41, En/na Rowland Penny ha escrit: OK, try this sssd.conf that I have altered for your setup, it is based on the sssd.conf on the machine that I am typing this on and it works, you just need the krb5.keytab that I told you how to create earlier. That was /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator yes? Correct, though I do not understand why you are using the full path to samba-tool [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching TEMPLATE$@WETRON.ES found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching host/template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): Selected principal: dept-66f575a885$@WETRON.ES [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [dept-66f575a885$@WETRON.ES] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[8011 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[8011 [main] (0x0400): ldap_child completed successfully [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906] [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] Where did you get samba4 from, did you compile it yourself? what version? what OS are you using, if you did compile it yourself, what packages did you install before compiling. Note that I get the last error even if I add ldap_sasl_authid = Administrator in sssd.conf The sssd.conf I supplied is a known working one, all I changed is the domain name and server address from mine. (Of course in that case I don't get the "No principal matching..." messages but the outcome is the same). I suppose there is some additional step to perform (apart from extracting the keytab). Bye You could try stopping sssd and then remove the sssd databases: rm -f /var/lib/sss/db/* (this is on Ubuntu) All I do is: Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator Install sssd sssd-tools via package manager alter /etc/sssd/sssd.conf as per the one I supplied remove the sssd databases start sssd It should now work, provided that the uidNumber, gidNumber, etc are in each users DN, you do not need the posix objectClasses. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 19:14, steve wrote: On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote: On 30/08/13 18:21, Luca Olivetti wrote: Al 30/08/13 18:54, En/na steve ha escrit: Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-conn...@wetron.es ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Done Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. It doesn't resolve, but _kerberos._udp.wetron.es. does _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. What do you have for /etc/krb5.conf [libdefaults] default_realm = WETRON.ES dns_lookup_realm = true dns_lookup_kdc = true [realms] WETRON.ES = { kdc = 192.168.4.101 admin_server = 192.168.4.101 } What does: sssd --version give? 1.9.4 In case it matters, sasl is 2.1.25, and I have the relevant plugins installed: # rpm -qa *sasl* lib64sasl2-plug-sasldb-2.1.25-12.mga3 lib64sasl2-2.1.25-12.mga3 cyrus-sasl-2.1.25-12.mga3 lib64sasl2-plug-login-2.1.25-12.mga3 lib64sasl2-plug-plain-2.1.25-12.mga3 lib64sasl2-plug-ldapdb-2.1.25-12.mga3 lib64sasl2-plug-gssapi-2.1.25-12.mga3 lib64sasl2-devel-2.1.25-12.mga3 Bye Hi, How about this for an idea, get the OP to create a VM on Mageia, install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the VM. Then setup winbind or nslcd or sssd on it, once this is working the OP can work out to get the setup to run on Mageia himself. RFowlanf Yep. +1 for the Ubuntu vm. We go for a git master because you can add rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a single user. getent passwd user returns his rfc2307 from the directory. Any takers? Steve Hi Steve, the idea was for the OP to create the VM and we could talk him through setting up samba 4 on it. I think that he may just be the only person in the world that is trying to use Mageia for samba 4, so we need to show him how to setup samba 4 on a main stream distro, this should then help him to work out where he is going wrong with his setup. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote: > > Casi, casi... Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de AD. Saludos, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 30.08.2013 23:44, schrieb steve: That's a good idea. Often, when we've been in production for while without errors, we lose sight of what it was like at the beginning. If there's anything here or in my sssd howto you would change it would be great if you could let us have it as a real user who isn't averse to getting his hands dirty. It's always best when it's still fresh in your mind. Today I continued working a bit on the sssd HowTo. I saw, that you three had a long discussion, while I was out. I'll try to catch the important stuff and include it in the HowTo. I think I have finalized and re-validated everything until the beginning of next week. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 19:44 +0100, Rowland Penny wrote: > On 30/08/13 19:14, steve wrote: > > On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote: > >> On 30/08/13 18:21, Luca Olivetti wrote: > >>> Al 30/08/13 18:54, En/na steve ha escrit: > >>> > Bueno, a ver: > We can say for certain that /etc/krb5.keytab contains the key for > nslcd-connect > make sure you have: > > ldap_sasl_mech = gssapi > ldap_sasl_authid = nslcd-conn...@wetron.es > ldap_krb5_keytab = /etc/krb5.keytab > > (note, I think you had a different keytab in an older post. Lose it.) > >>> Done > >>> > Next, can you resolve the kerberos SRV record: > host -t SRV _kerberos._udp.dc1.wetron.es. > >>> It doesn't resolve, but _kerberos._udp.wetron.es. does > >>> > >>> _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. > >>> > >>> > What do you have for /etc/krb5.conf > >>> [libdefaults] > >>> default_realm = WETRON.ES > >>> dns_lookup_realm = true > >>> dns_lookup_kdc = true > >>> > >>> [realms] > >>>WETRON.ES = { > >>> kdc = 192.168.4.101 > >>> admin_server = 192.168.4.101 > >>>} > >>> > >>> > What does: > sssd --version > give? > >>> 1.9.4 > >>> > >>> In case it matters, sasl is 2.1.25, and I have the relevant plugins > >>> installed: > >>> > >>> # rpm -qa *sasl* > >>> lib64sasl2-plug-sasldb-2.1.25-12.mga3 > >>> lib64sasl2-2.1.25-12.mga3 > >>> cyrus-sasl-2.1.25-12.mga3 > >>> lib64sasl2-plug-login-2.1.25-12.mga3 > >>> lib64sasl2-plug-plain-2.1.25-12.mga3 > >>> lib64sasl2-plug-ldapdb-2.1.25-12.mga3 > >>> lib64sasl2-plug-gssapi-2.1.25-12.mga3 > >>> lib64sasl2-devel-2.1.25-12.mga3 > >>> > >>> Bye > >> Hi, How about this for an idea, get the OP to create a VM on Mageia, > >> install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the > >> VM. Then setup winbind or nslcd or sssd on it, once this is working the > >> OP can work out to get the setup to run on Mageia himself. > >> > >> RFowlanf > > Yep. +1 for the Ubuntu vm. We go for a git master because you can add > > rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a > > single user. getent passwd user returns his rfc2307 from the directory. > > Any takers? > > Steve > > > > > Hi Steve, the idea was for the OP to create the VM and we could talk him > through setting up samba 4 on it. > I think that he may just be the only person in the world that is trying > to use Mageia for samba 4, so we need to show him how to setup samba 4 > on a main stream distro, this should then help him to work out where he > is going wrong with his setup. > > Rowland Yep. Let me know if I can help. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 19:30 +0200, Luca Olivetti wrote: > Al 30/08/13 19:00, En/na Rowland Penny ha escrit: > > > > > The above was taken from: > > https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS > > Yes, I read the wiki before starting, I have all the dependencies installed > > > > > Check that you have all the above installed and if not, install what > > ever is missing and recompile samba 4 > > Also, it may help if you try another OS, no disrespect, but Mageia is > > not really what I would call a server distro and is probably not used by > > many people to run samba 4 on, so you will struggle to get precise help > > here (ducks as thousands of people reply saying I use Mageia ;-) ) > > Thank you, but I will do with generic help, I can perform the necessary > "translations". I tried other distributions and I found them lacking > (probably because I'm just used to mageia), usually the server packages > in mageia (and mandriva before it) have been top notch, samba 4 is not > packaged (yet) but it will be soon. Just thinking out loud but there have been problems with nslcd and I think winbind too before this. I don't know if this be possible and I know that the devs would frown upon it, but maybe we've reached the time for a rebuild over bare metal. Rowlands suggestion of a recompile gets a +1 from me. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 17:45 +0100, Rowland Penny wrote: > Hi Steve, lets just get something to work for the OP first. Agreed. It seems we now at least have a keytab that we can use for certain. Pls see my interim post. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 21:49, En/na steve ha escrit: > On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote: >> >> Casi, casi... > > Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de > AD. > Saludos, Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25 (for the non Spanish speaking audience: it seems that cyrus-sasl-2.1.25 has a problem in gssapi.c causing a segfault) http://www.spinics.net/lists/cyrus-sasl/msg02004.html I'll try to build a version with the fix Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 23:44, En/na steve ha escrit: > Interesting point; you've now sampled winbind, nslcd and sssd to the > same end. Have you made a decision as to which you'll be going with? Well, the real deployment will take some time (measured in months rather than weeks), I have a lot more to learn and I'm busy with other things. I'm not still 100% convinced that I need to migrate from samba 3 to samba 4, and once I am I have to explain it to my boss. Anyway I think I'll go with sssd, my unscientific tests (time getent, time id) tell me it's an order of magnitude faster than nslcd (both for uncached and cached data). winbindI don't like it, for no particular reason. It also seems to be the slowest of the pack. > > Que pases un buen finde. Igualmente Saludos -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 22:28 +0200, Luca Olivetti wrote: > Al 30/08/13 22:18, En/na Rowland Penny ha escrit: > > > > I take it that everything is now working ok and you can see all your > > users, if so, I suggest you write up how you did it and get it published > > somewhere. > Hi That's a good idea. Often, when we've been in production for while without errors, we lose sight of what it was like at the beginning. If there's anything here or in my sssd howto you would change it would be great if you could let us have it as a real user who isn't averse to getting his hands dirty. It's always best when it's still fresh in your mind. Actually both the configuration proposed by steve and yours were OK. The > only problem was the hostname mismatch (causing the "server not found in > kerberos database" error) and then a faulty cyrus-sasl library. > I already filed a bug against the cyrus-sasl library in mageia. > > Thank you again. Interesting point; you've now sampled winbind, nslcd and sssd to the same end. Have you made a decision as to which you'll be going with? Que pases un buen finde. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 21:28, Luca Olivetti wrote: Al 30/08/13 22:18, En/na Rowland Penny ha escrit: The reason why I suggested that you try another distro is that, as far as I can see, nobody else uses Mageia on this list, at least nobody came forward offering help. If you had tried another distro like Ubuntu then other Ubuntu users could have helped from their experience. I understand that and I appreciate the time you took to help me, but I still prefer to stumble and learn by myself instead of just copypasting a recipe that's known working on distribution X. Because when distribution X+1 comes along and things break I would be none the wiser. Ah, but if you had tried it on another distro and it worked, you would then know that it was not what you were doing that was at fault and that something was wrong on Mageia, but as you say, you got there in the end. I am also sure that you are feeling a lot better now that you have fixed the problem. I take it that everything is now working ok and you can see all your users, if so, I suggest you write up how you did it and get it published somewhere. Actually both the configuration proposed by steve and yours were OK. The only problem was the hostname mismatch (causing the "server not found in kerberos database" error) and then a faulty cyrus-sasl library. I already filed a bug against the cyrus-sasl library in mageia. Typical Unix, there is always several ways to do the same thing ;-) Rowland Thank you again. Bye -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 22:18, En/na Rowland Penny ha escrit: > The reason why I suggested that you try another distro is that, as far > as I can see, nobody else uses Mageia on this list, at least nobody came > forward offering help. If you had tried another distro like Ubuntu then > other Ubuntu users could have helped from their experience. I understand that and I appreciate the time you took to help me, but I still prefer to stumble and learn by myself instead of just copypasting a recipe that's known working on distribution X. Because when distribution X+1 comes along and things break I would be none the wiser. > > I take it that everything is now working ok and you can see all your > users, if so, I suggest you write up how you did it and get it published > somewhere. Actually both the configuration proposed by steve and yours were OK. The only problem was the hostname mismatch (causing the "server not found in kerberos database" error) and then a faulty cyrus-sasl library. I already filed a bug against the cyrus-sasl library in mageia. Thank you again. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 21:10, Luca Olivetti wrote: Al 30/08/13 21:53, En/na Luca Olivetti ha escrit: Al 30/08/13 21:49, En/na steve ha escrit: On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote: Casi, casi... Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de AD. Saludos, Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25 (for the non Spanish speaking audience: it seems that cyrus-sasl-2.1.25 has a problem in gssapi.c causing a segfault) http://www.spinics.net/lists/cyrus-sasl/msg02004.html I'll try to build a version with the fix Did it an it worked. Lessons learned: - make sure that the hostname is the same as the netbios name (or is there a parameter to make it work when they are different?) - don't listen to people suggesting to switch distributions (I know how to debug/build things with mageia, I wouldn't know where to start with another one) The reason why I suggested that you try another distro is that, as far as I can see, nobody else uses Mageia on this list, at least nobody came forward offering help. If you had tried another distro like Ubuntu then other Ubuntu users could have helped from their experience. I take it that everything is now working ok and you can see all your users, if so, I suggest you write up how you did it and get it published somewhere. Rowland - try to learn how kerberos is supposed to work before trying to use it Bye and thank you for your patience -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 18:15, En/na steve ha escrit: > On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: >> On 30/08/13 15:48, Luca Olivetti wrote: >>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit: >>> OK, try this sssd.conf that I have altered for your setup, it is based on the sssd.conf on the machine that I am typing this on and it works, you just need the krb5.keytab that I told you how to create earlier. >>> That was >>> >>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U >>> Administrator >>> >> > > Hi > This command dumps the _whole_ of the database to the keytab, so you > must choose which key you are going to use for: > ldap_sasl_authid Oops, I was just following instructions :-/ I promise that, when everything is working, I'll read all the relevant manpages (I usually do it _before_ blindly typing what's been suggested, but...) ;-) > > If you really do need al the keys there then could you send us a > santised dump of the keytab so we can decide a good key to use? And more > importantly one which is definitely present? > > klist -k /etc/krb5.keytab > > It is generally recommended to only dump the keys you need. Which it does with the --principal option, yes? (but, as I just learned, each command *adds* to the keytab, so I have to delete the file first). BTW, if I use --principal=nslcd-connect it is listed 3 times: # klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 nslcd-conn...@wetron.es 1 nslcd-conn...@wetron.es 1 nslcd-conn...@wetron.es > > Have you dumped the Administrator key to the keytab? If it isn't in the > keytab it's not going to find a match either. Why not simply choose > something which you _do_ have? > > ldap_sasl_mech = gssapi > ldap_sasl_authid = something.you.do.have.in.the.keytab > ldap_krb5_keytab = /etc/krb5.keytab Again, I was following suggestions, anyway, both with -U and with --principal=nslcd-connect I was using an ldap_sasl_authid that was in the keytab (as per keytab -k), but the error is the same: [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: nslcd-connect [sssd[nss]] [client_recv] (0x0200): Client disconnected! [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] > HTH to get us closer. I cannot thank you enough, but I feel I'm not getting any closer :-( Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 17:05, En/na Rowland Penny ha escrit: > Correct, though I do not understand why you are using the full path to > samba-tool Because it's not in PATH > Where did you get samba4 from, did you compile it yourself? Yes > what > version? 4.0.8 (4.0.9 wasn't yet available when I started the experiment) > what OS are you using, if you did compile it yourself, what > packages did you install before compiling. I'm using linux, mageia 3, I installed every -devel package providing the .h files I saw in ./configure output (minus libldb since the packaged one is not compatible with samba 4 and would produce a non working samba) > You could try stopping sssd and then remove the sssd databases: rm -f > /var/lib/sss/db/* (this is on Ubuntu) Already done > > All I do is: > Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U > Administrator Done > Install sssd sssd-tools via package manager Done (well, I actually I didn't install sssd-tools, but I did now and it changed nothing). > alter /etc/sssd/sssd.conf as per the one I supplied > remove the sssd databases > start sssd Done Maybe one of the post-install script in one of the ubuntu packages performs automatically one of the missing steps? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 18:58 +0100, Rowland Penny wrote: > On 30/08/13 18:21, Luca Olivetti wrote: > > Al 30/08/13 18:54, En/na steve ha escrit: > > > >> Bueno, a ver: > >> We can say for certain that /etc/krb5.keytab contains the key for > >> nslcd-connect > >> make sure you have: > >> > >> ldap_sasl_mech = gssapi > >> ldap_sasl_authid = nslcd-conn...@wetron.es > >> ldap_krb5_keytab = /etc/krb5.keytab > >> > >> (note, I think you had a different keytab in an older post. Lose it.) > > Done > > > >> Next, can you resolve the kerberos SRV record: > >> host -t SRV _kerberos._udp.dc1.wetron.es. > > It doesn't resolve, but _kerberos._udp.wetron.es. does > > > > _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es. > > > > > >> What do you have for /etc/krb5.conf > > [libdefaults] > > default_realm = WETRON.ES > > dns_lookup_realm = true > > dns_lookup_kdc = true > > > > [realms] > > WETRON.ES = { > >kdc = 192.168.4.101 > >admin_server = 192.168.4.101 > > } > > > > > >> What does: > >> sssd --version > >> give? > > 1.9.4 > > > > In case it matters, sasl is 2.1.25, and I have the relevant plugins > > installed: > > > > # rpm -qa *sasl* > > lib64sasl2-plug-sasldb-2.1.25-12.mga3 > > lib64sasl2-2.1.25-12.mga3 > > cyrus-sasl-2.1.25-12.mga3 > > lib64sasl2-plug-login-2.1.25-12.mga3 > > lib64sasl2-plug-plain-2.1.25-12.mga3 > > lib64sasl2-plug-ldapdb-2.1.25-12.mga3 > > lib64sasl2-plug-gssapi-2.1.25-12.mga3 > > lib64sasl2-devel-2.1.25-12.mga3 > > > > Bye > Hi, How about this for an idea, get the OP to create a VM on Mageia, > install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the > VM. Then setup winbind or nslcd or sssd on it, once this is working the > OP can work out to get the setup to run on Mageia himself. > > RFowlanf Yep. +1 for the Ubuntu vm. We go for a git master because you can add rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a single user. getent passwd user returns his rfc2307 from the directory. Any takers? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 19:00, En/na Rowland Penny ha escrit: > > The above was taken from: > https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS Yes, I read the wiki before starting, I have all the dependencies installed > > Check that you have all the above installed and if not, install what > ever is missing and recompile samba 4 > Also, it may help if you try another OS, no disrespect, but Mageia is > not really what I would call a server distro and is probably not used by > many people to run samba 4 on, so you will struggle to get precise help > here (ducks as thousands of people reply saying I use Mageia ;-) ) Thank you, but I will do with generic help, I can perform the necessary "translations". I tried other distributions and I found them lacking (probably because I'm just used to mageia), usually the server packages in mageia (and mandriva before it) have been top notch, samba 4 is not packaged (yet) but it will be soon. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 30/08/13 17:15, steve wrote: On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: On 30/08/13 15:48, Luca Olivetti wrote: Al 30/08/13 11:41, En/na Rowland Penny ha escrit: OK, try this sssd.conf that I have altered for your setup, it is based on the sssd.conf on the machine that I am typing this on and it works, you just need the krb5.keytab that I told you how to create earlier. That was /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator Hi This command dumps the _whole_ of the database to the keytab, so you must choose which key you are going to use for: ldap_sasl_authid If you really do need al the keys there then could you send us a santised dump of the keytab so we can decide a good key to use? And more importantly one which is definitely present? klist -k /etc/krb5.keytab It is generally recommended to only dump the keys you need. Hi Steve, lets just get something to work for the OP first. [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching TEMPLATE$@WETRON.ES found in keytab. [[sssd[ldap_child[8011 [find_principal_in_keytab] (0x0400): No principal matching host/template.wetron...@wetron.es found in keytab. [[sssd[ldap_child[8011 [select_principal_from_keytab] (0x0200): Selected principal: dept-66f575a885$@WETRON.ES [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [dept-66f575a885$@WETRON.ES] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] [[sssd[ldap_child[8011 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[8011 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[8011 [main] (0x0400): ldap_child completed successfully [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906] [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null) [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] Where did you get samba4 from, did you compile it yourself? what version? what OS are you using, if you did compile it yourself, what packages did you install before compiling. Note that I get the last error even if I add ldap_sasl_authid = Administrator Have you dumped the Administrator key to the keytab? If it isn't in the keytab it's not going to find a match either. Why not simply choose something which you _do_ have? ldap_sasl_mech = gssapi ldap_sasl_authid = something.you.do.have.in.the.keytab ldap_krb5_keytab = /etc/krb5.keytab HTH to get us closer. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 30/08/13 10:11, En/na steve ha escrit: > On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote: >> Al 29/08/13 21:54, En/na Rowland Penny ha escrit: >> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf to ldap, so I thought your suggestion was working while it actually wasn't (same error with Administrator as with HP$). Bye >>> Hi, I am replying to you on list, could you please post your sssd.conf >>> and what version of sssd you are using, also what is your OS >> >> OK, now I got sssd working *but* without kerberos. > > Hi > I'm not sure what you want. Is this now EOT or do you want to go on and > debug to get gssapi? Well, I'd like to get gssapi working > > If you wish to go on: > samba-tool domain exportkeytab /etc/krb5.sssd.keytab > --principal=nslcd-connect > (You may already have this from your nslcd config) done > Kill all nslcd processes. done > > ldap_sasl_mech = gssapi > ldap_sasl_authid = nslcd-connect > ldap_krb5_keytab = /etc/krb5.sssd.keytab done, but when I try, say, "id oscar" [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(samAccountName=oscar)(objectclass=user))][dc=wetron,dc=es]. [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Operations error(1), 2020: Operation unavailable without authentication [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 2020: Operation unavailable without authentication [sssd[be[default]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Error d’Entrada/Sortida > To get full benefit from sssd I'd recommend the latest version which has > a proper AD backend. e.g. sssd version 1.11.1 gives you id and getent > without requiring the posixAccount objectClass. I don't need it even with the version I have. Thank you Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 23:34, Luca Olivetti wrote: Al 29/08/13 21:54, En/na Rowland Penny ha escrit: Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf to ldap, so I thought your suggestion was working while it actually wasn't (same error with Administrator as with HP$). Bye Hi, I am replying to you on list, could you please post your sssd.conf and what version of sssd you are using, also what is your OS OK, now I got sssd working *but* without kerberos. The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the one posted by steve (http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html) modified for my domain and with kerberos options commented out of the way: [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap #krb5_realm = WETRON.ES #krb5_server = hp.wetron.es #krb5_kpasswd = hp.wetron.es ldap_referrals = false ldap_uri = ldap://localhost/ ldap_search_base = dc=wetron,dc=es #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=wetron,dc=es ldap_group_name = cn ldap_group_member = member #ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*)) #dap_sasl_mech = gssapi #ldap_sasl_authid = nslcd-connect ##for the client use: ## ldap_sasl_authid=ALGORFA$ #ldap_krb5_keytab = /etc/krb5.sssd.keytab #ldap_krb5_init_creds = true ldap_id_use_start_tls = false ldap_default_bind_dn = cn=nslcd-connect,cn=Users,dc=wetron,dc=es ldap_default_authtok_type = password ldap_default_authtok = --- Bye OK, try this sssd.conf that I have altered for your setup, it is based on the sssd.conf on the machine that I am typing this on and it works, you just need the krb5.keytab that I told you how to create earlier. [sssd] config_file_version = 2 domains = wetron.es services = nss, pam [nss] [pam] [domain/wetron.es] description = AD domain with Samba 4 server cache_credentials = true enumerate = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap krb5_server = hp.wetron.es krb5_kpasswd = hp.wetron.es krb5_realm = WETRON.ES ldap_referrals = false ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote: > Al 29/08/13 21:54, En/na Rowland Penny ha escrit: > > >> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf > >> to ldap, so I thought your suggestion was working while it actually > >> wasn't (same error with Administrator as with HP$). > >> > >> Bye > > Hi, I am replying to you on list, could you please post your sssd.conf > > and what version of sssd you are using, also what is your OS > > OK, now I got sssd working *but* without kerberos. Hi I'm not sure what you want. Is this now EOT or do you want to go on and debug to get gssapi? If you wish to go on: samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=nslcd-connect (You may already have this from your nslcd config) Kill all nslcd processes. ldap_sasl_mech = gssapi ldap_sasl_authid = nslcd-connect ldap_krb5_keytab = /etc/krb5.sssd.keytab To get full benefit from sssd I'd recommend the latest version which has a proper AD backend. e.g. sssd version 1.11.1 gives you id and getent without requiring the posixAccount objectClass. 1.11.1 is available here: https://fedorahosted.org/released/sssd/sssd-1.11.0.tar.gz Salu2 y suerte, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 21:54, En/na Rowland Penny ha escrit: >> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf >> to ldap, so I thought your suggestion was working while it actually >> wasn't (same error with Administrator as with HP$). >> >> Bye > Hi, I am replying to you on list, could you please post your sssd.conf > and what version of sssd you are using, also what is your OS OK, now I got sssd working *but* without kerberos. The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the one posted by steve (http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html) modified for my domain and with kerberos options commented out of the way: [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap #krb5_realm = WETRON.ES #krb5_server = hp.wetron.es #krb5_kpasswd = hp.wetron.es ldap_referrals = false ldap_uri = ldap://localhost/ ldap_search_base = dc=wetron,dc=es #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=wetron,dc=es ldap_group_name = cn ldap_group_member = member #ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*)) #dap_sasl_mech = gssapi #ldap_sasl_authid = nslcd-connect ##for the client use: ## ldap_sasl_authid=ALGORFA$ #ldap_krb5_keytab = /etc/krb5.sssd.keytab #ldap_krb5_init_creds = true ldap_id_use_start_tls = false ldap_default_bind_dn = cn=nslcd-connect,cn=Users,dc=wetron,dc=es ldap_default_authtok_type = password ldap_default_authtok = --- Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 20:41, Luca Olivetti wrote: Al 29/08/13 21:20, En/na Rowland Penny ha escrit: On 29/08/13 20:17, Luca Olivetti wrote: Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: Al 29/08/13 21:02, En/na Rowland Penny ha escrit: Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Oops, sorry, actually it didn't work, I forgot that in the meantime I changed nsswitch.conf to use ldap instead of nss :-( Bye Sorry but I am losing the plot here a bit, I thought because you wanted the keytab, you were now trying to get sssd to work. Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf to ldap, so I thought your suggestion was working while it actually wasn't (same error with Administrator as with HP$). Bye Hi, I am replying to you on list, could you please post your sssd.conf and what version of sssd you are using, also what is your OS Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 20:17, Luca Olivetti wrote: Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: Al 29/08/13 21:02, En/na Rowland Penny ha escrit: Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Oops, sorry, actually it didn't work, I forgot that in the meantime I changed nsswitch.conf to use ldap instead of nss :-( Bye Sorry but I am losing the plot here a bit, I thought because you wanted the keytab, you were now trying to get sssd to work. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 21:15, En/na Luca Olivetti ha escrit: > Al 29/08/13 21:02, En/na Rowland Penny ha escrit: > >> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U >> Administrator' > > Thank you, that worked *but* we're back to square one: migrated users > (with the posixAccount class) show up but new users don't. Oops, sorry, actually it didn't work, I forgot that in the meantime I changed nsswitch.conf to use ldap instead of nss :-( Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 21:02, En/na Rowland Penny ha escrit: > Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U > Administrator' Thank you, that worked *but* we're back to square one: migrated users (with the posixAccount class) show up but new users don't. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 29/08/13 19:17, Luca Olivetti wrote: Al 29/08/13 12:06, En/na steve ha escrit: We have sssd covered here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html Well, that's doesn't seem to be complete (at least to a kerberos newbie like me). For example, it's missing the step to create /etc/krb5.keytab I used /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab --principal=HP$ but then sssd complains that [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HP$@WETRON.ES] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed successfully [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: HP$ [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes locally built samba to not start anymore (since there is some conflicting library and samba will use the "bad" library in /usr/lib64 instead of the one under /usr/local/samba), so, in my specific case, I cannot really say 'you'll not believe how simple this is' ;-) nslcd seems simpler (at least I got it working) Bye Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Thu, 2013-08-29 at 20:17 +0200, Luca Olivetti wrote: > but then sssd complains that > > [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): > Principal > name is: [HP$@WETRON.ES] > [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using > keytab [/etc/krb5.keytab] > [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will > canonicalize principals > [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building > response for result [0] > [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed > successfully > [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client > finished > [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 > [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] > [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is > 900 > [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind > mech: > gssapi, user: HP$ > [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed > (-2)[Local error] > [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure > message: > [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Server not found in Kerberos > database)] Oooof. ¡Doloroso! Marc's howto will be here soon:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 12:06, En/na steve ha escrit: > We have sssd covered here: > http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html Well, that's doesn't seem to be complete (at least to a kerberos newbie like me). For example, it's missing the step to create /etc/krb5.keytab I used /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab --principal=HP$ but then sssd complains that [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Principal name is: [HP$@WETRON.ES] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] [[sssd[ldap_child[2300 [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals [[sssd[ldap_child[2300 [prepare_response] (0x0400): Building response for result [0] [[sssd[ldap_child[2300 [main] (0x0400): ldap_child completed successfully [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client finished [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615] [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: HP$ [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes locally built samba to not start anymore (since there is some conflicting library and samba will use the "bad" library in /usr/lib64 instead of the one under /usr/local/samba), so, in my specific case, I cannot really say 'you'll not believe how simple this is' ;-) nslcd seems simpler (at least I got it working) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Thu, 2013-08-29 at 01:30 +0200, Marc Muehlfeld wrote: > Am 29.08.2013 00:10, schrieb Luca Olivetti: > >> Yeah, nslcd works well, but for AD funcionality and speed, sssd is the > >> only way to go for nss on Samba4 or any m$ server. > >> Just my €0.02 > > > > I'll try it. I only used nslcd because that's what was suggested in the > > samba wiki. > > The Winbind and sssd Howto isn't finished yet. Currently I don't have to > much time, but I'm working on. :-) We have sssd covered here: http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html sssd 1.11.1 was released today. I'll report back:) HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 29/08/13 01:30, En/na Marc Muehlfeld ha escrit: > Am 29.08.2013 00:10, schrieb Luca Olivetti: >>> Yeah, nslcd works well, but for AD funcionality and speed, sssd is the >>> only way to go for nss on Samba4 or any m$ server. >>> Just my €0.02 >> >> I'll try it. I only used nslcd because that's what was suggested in the >> samba wiki. > > The Winbind and sssd Howto isn't finished yet. Currently I don't have to > much time, but I'm working on. :-) Don't worry, given that samba4 should work as a windows server, there are many tutorials that explain how to configure sssd against active directory (though my attempts so fare have been unsuccessful). Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 29.08.2013 00:10, schrieb Luca Olivetti: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. The Winbind and sssd Howto isn't finished yet. Currently I don't have to much time, but I'm working on. :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 23:09, En/na steve ha escrit: > Yeah, nslcd works well, but for AD funcionality and speed, sssd is the > only way to go for nss on Samba4 or any m$ server. > Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 20:18 +0200, Luca Olivetti wrote: > Al 28/08/13 20:11, En/na steve ha escrit: > > > Hi > > Without objectClass: posixAccount > > you need the filter for nslcd. > > > > IOW, for AD, you either must add it yourself or use the nslcd filter. > > > > Windows does not need the objectClass. nslcd does unless you want to > > filter everything. > > Thank you, I though that was the case. > It's something that Marc will have to specify in the howto. Hi Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 20:11, En/na steve ha escrit: > Hi > Without objectClass: posixAccount > you need the filter for nslcd. > > IOW, for AD, you either must add it yourself or use the nslcd filter. > > Windows does not need the objectClass. nslcd does unless you want to > filter everything. Thank you, I though that was the case. It's something that Marc will have to specify in the howto. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: > Al 28/08/13 13:43, En/na steve ha escrit: > > >> > >> 0.8.12 is not recent enough and those filters are needed. > > > > I'll try 0.8.12 later but I doubt it will have changed: > > I have 0.8.12 > > $ rpm -q nss-pam-ldapd > nss-pam-ldapd-0.8.12-3.mga3 > > With the filter (aimaretti is a migrated user, pruebaunix is a new user) > > $ id aimaretti > uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain > Users),675(intranet),676(portal),507(devel) > $ id pruebaunix > uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain > Users),496(vcsa),675(intranet) > > > Without the filter > > > $ id aimaretti > uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain > Users),675(intranet),676(portal),507(devel) > $ id pruebaunix > id: pruebaunix: l’usuari no existeix > $ LC_ALL=en id pruebaunix > id: pruebaunix: no such user > > Do you think it's because I have specified a binddn and a bindpw? Hi Without objectClass: posixAccount you need the filter for nslcd. IOW, for AD, you either must add it yourself or use the nslcd filter. Windows does not need the objectClass. nslcd does unless you want to filter everything. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 19:30, En/na steve ha escrit: > On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: > >> >> >> Without the filter >> >> >> $ id aimaretti >> uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain >> Users),675(intranet),676(portal),507(devel) >> $ id pruebaunix >> id: pruebaunix: l’usuari no existeix >> $ LC_ALL=en id pruebaunix >> id: pruebaunix: no such user > > Hi > OK then, so just compare the DN of aimaretti with that of pruebauinx. > > Post them here if you like: OK, but just to avoid you the hassle to compare the two, here is a summary of the differences: * pruebaunix is missing the posixAccount objectClass, the description and homeDrive (though I don't think the last two are what's causing the problem and the missing posixAccount is normal AD behavior) * pruebaunix has the following fields not present in aimaretti: -givenName -msSFU3OName -sn -uid -unixUserPassword -userPrincipalName > > ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti # record 1 dn: CN=aimaretti,CN=Users,DC=wetron,DC=es cn: aimaretti instanceType: 4 whenCreated: 20130816222436.0Z whenChanged: 20130816222436.0Z uSNCreated: 5300 name: aimaretti objectGUID: cf69597e-c29e-4734-8fee-0c5f261593b9 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-1375475485-2168029398-3937786652-3468 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: aimaretti sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es pwdLastSet: 12911595683000 displayName: Alberto Aimaretti homeDrive: U: logonHours:: userAccountControl: 512 description: Usuario Wetron uidNumber: 1234 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/aimaretti loginShell: /bin/false gidNumber: 513 msSFU30NisDomain: wetron uSNChanged: 5304 memberOf: CN=devel,CN=Users,DC=wetron,DC=es memberOf: CN=intranet,CN=Users,DC=wetron,DC=es memberOf: CN=portal,CN=Users,DC=wetron,DC=es distinguishedName: CN=aimaretti,CN=Users,DC=wetron,DC=es # Referral ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es # returned 4 records # 1 entries # 3 referrals > and > ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix # Referral ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es # returned 3 records # 0 entries # 3 referrals (oops, I forgot that this user has a space in the cn, and, no, that's not the problem, I have other users without a space in the cn, don't mind the OU, it was an unrelated test, other users under CN=Users work the same) $ sudo /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb cn="prueba unix" # record 1 dn: CN=prueba unix,OU=kk,DC=wetron,DC=es objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: prueba unix sn: unix givenName: prueba instanceType: 4 whenCreated: 20130827101804.0Z uSNCreated: 7219 name: prueba unix objectGUID: deb50617-08a6-4c98-8d81-73c0134514ee badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-1375475485-2168029398-3937786652-4011 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: pruebaunix sAMAccountType: 805306368 userPrincipalName: pruebau...@wetron.es objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es pwdLastSet: 13022072284000 userAccountControl: 512 msSFU30Name: pruebaunix unixUserPassword: ABCD!efgh12345$67890 uid: pruebaunix msSFU30NisDomain: wetron loginShell: /bin/sh unixHomeDirectory: /home/pruebaunix uidNumber: 10069 displayName: pruebaunix gidNumber: 513 memberOf: CN=intranet,CN=Users,DC=wetron,DC=es memberOf: CN=brmuestra,CN=Users,DC=wetron,DC=es whenChanged: 20130828004001.0Z uSNChanged: 7249 distinguishedName: CN=prueba unix,OU=kk,DC=wetron,DC=es # Referral ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es # returned 4 records # 1 entries # 3 referrals Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: > > > Without the filter > > > $ id aimaretti > uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain > Users),675(intranet),676(portal),507(devel) > $ id pruebaunix > id: pruebaunix: l’usuari no existeix > $ LC_ALL=en id pruebaunix > id: pruebaunix: no such user Hi OK then, so just compare the DN of aimaretti with that of pruebauinx. Post them here if you like: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti and ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 13:43, En/na steve ha escrit: >> >> 0.8.12 is not recent enough and those filters are needed. > > I'll try 0.8.12 later but I doubt it will have changed: I have 0.8.12 $ rpm -q nss-pam-ldapd nss-pam-ldapd-0.8.12-3.mga3 With the filter (aimaretti is a migrated user, pruebaunix is a new user) $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain Users),496(vcsa),675(intranet) Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Do you think it's because I have specified a binddn and a bindpw? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 13:17 +0200, Luca Olivetti wrote: > Al 28/08/13 09:58, En/na steve ha escrit: > >> filter passwd (objectclass=user) > >> > >> to /etc/nslcd.conf > >> > >> and that gave me the missing users. > >> I suppose I should add also a > >> > >> filter group (objectclass=group) > > [...] > > > With recent versions of nslcd, neither of the filters are needed and > > serve only to slow down lookups. All that is needed is: > > 0.8.12 is not recent enough and those filters are needed. I'll try 0.8.12 later but I doubt it will have changed: - - - hh16:/home/steve # samba --version Version 4.2.0pre1-GIT-617c647 hh16:/home/steve # nslcd --version nss-pam-ldapd 0.8.10 uid nslcd-user gid nslcd-user uri ldap://hh3.site base dc=hh3,dc=site mappasswd uid samAccountName mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/nslcd.tkt hh16:/home/steve # k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt & hh16:/home/steve # getent passwd ... steve2:*:321:20513:steve2:/home/users/steve2:/bin/bash steve3:*:322:20513:steve3:/home/users/steve3:/bin/bash ... - - - Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 09:58, En/na steve ha escrit: >> filter passwd (objectclass=user) >> >> to /etc/nslcd.conf >> >> and that gave me the missing users. >> I suppose I should add also a >> >> filter group (objectclass=group) [...] > With recent versions of nslcd, neither of the filters are needed and > serve only to slow down lookups. All that is needed is: 0.8.12 is not recent enough and those filters are needed. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 27/08/13 23:06, Luca Olivetti wrote: Al 27/08/13 23:02, En/na Rowland Penny ha escrit: If nslcd needs the posix objectclasses, then that is their bug, windows does not use them so Samba 4 doesn't either. I wouldn't be so sure, since many (all?) of the attributes specified by rfc2307 are not needed by windows but are there for compatibility with unix. I don't know what a real windows server does, but it seems it can work with nslcd, see, e.g., here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP "This document has been tested on Windows Server 2008 and Ubuntu 10.04." Bye If nslcd wants to work with AD, it has to play by AD rules, and AD does not use the posix objectclasses. If you want proof of this, create a user with samba-tool, go to a windows pc with ADUC and add the posix attributes. Now go back to the samba4 AD DC and examine the users DN, you will not find the posix objectclasses, but you will find uidNumber etc. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 00:30 +0200, Luca Olivetti wrote: > Al 27/08/13 23:56, En/na Gary Greene ha escrit: > > > If you set it up with '--use-rfc2307', nslcd needs configured as though it > > is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add > > additional classes to the AD member objects, even in an SFU environment. > > Thank you, that gave me an hint: I added a > > filter passwd (objectclass=user) > > to /etc/nslcd.conf > > and that gave me the missing users. > I suppose I should add also a > > filter group (objectclass=group) > > for groups. > > Note that those filters are also, e.g. here > https://help.ubuntu.com/community/ADWin2k8KerberosLDAP > > but I overlooked them. With recent versions of nslcd, neither of the filters are needed and serve only to slow down lookups. All that is needed is: uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm SOME.REALM krb5_ccname /tmp/nslcd.tkt hth to speed things up a little. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 00:06 +0200, Luca Olivetti wrote: > Al 27/08/13 23:02, En/na Rowland Penny ha escrit: > > > If nslcd needs the posix objectclasses, then that is their bug, windows > > does not use them so Samba 4 doesn't either. > > I wouldn't be so sure, since many (all?) of the attributes specified by > rfc2307 are not needed by windows but are there for compatibility with unix. > I don't know what a real windows server does, but it seems it can work > with nslcd, see, e.g., here > > https://help.ubuntu.com/community/ADWin2k8KerberosLDAP > > "This document has been tested on Windows Server 2008 and Ubuntu 10.04." > 2008 does not add the posixAccount not posixGroup classes. Samba4 uses the same schema. You can add them if you wish but they will be ignored. nslcd works with both 2008 and Samba4 with exactly the same nslcd.conf but be sure to use version 0.8.10 or above which contains all the AD stuff. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 27/08/13 23:56, En/na Gary Greene ha escrit: > If you set it up with '--use-rfc2307', nslcd needs configured as though it is > talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional > classes to the AD member objects, even in an SFU environment. Thank you, that gave me an hint: I added a filter passwd (objectclass=user) to /etc/nslcd.conf and that gave me the missing users. I suppose I should add also a filter group (objectclass=group) for groups. Note that those filters are also, e.g. here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP but I overlooked them. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 27/08/13 23:02, En/na Rowland Penny ha escrit: > If nslcd needs the posix objectclasses, then that is their bug, windows > does not use them so Samba 4 doesn't either. I wouldn't be so sure, since many (all?) of the attributes specified by rfc2307 are not needed by windows but are there for compatibility with unix. I don't know what a real windows server does, but it seems it can work with nslcd, see, e.g., here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP "This document has been tested on Windows Server 2008 and Ubuntu 10.04." Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
If you set it up with '--use-rfc2307', nslcd needs configured as though it is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional classes to the AD member objects, even in an SFU environment. -- Gary L. Greene, Jr. Sr. Systems Administrator IT Operations Minerva Networks, Inc. Cell: (650) 704-6633 From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf of Rowland Penny [rowlandpe...@googlemail.com] Sent: Tuesday, August 27, 2013 02:02 PM To: samba@lists.samba.org Subject: Re: [Samba] objectClass:posixAccount missing On 27/08/13 19:56, Luca Olivetti wrote: > Al 27/08/13 20:46, En/na steve ha escrit: >> On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote: >> >>> Do posixAccount/posixGroup >>> objectClasses have to be there normally? >> No. With the AD schema, you can use all of rfc2307 without the need for >> the objectclassed which define them. Just add the attributes. > But then nslcd doesn't see them (and, yes, I removed the filters you > talked about in your previous message, I will worry later about sasl): If nslcd needs the posix objectclasses, then that is their bug, windows does not use them so Samba 4 doesn't either. > > pagesize 1000 > referrals off > > map passwd homeDirectory UnixHomeDirectory > map passwd uid samAccountName > > uid nslcd > gid ldap > > uri ldap://127.0.0.1:389 > base cn=Users,dc=wetron,dc=es #also tried dc=wetron,dc=es > > binddn cn=nslcd-connect,cn=Users,dc=wetron,dc=es > bindpw --- > > Bye Have you tried 'uri ldap://:389 ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 27/08/13 19:56, Luca Olivetti wrote: Al 27/08/13 20:46, En/na steve ha escrit: On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote: Do posixAccount/posixGroup objectClasses have to be there normally? No. With the AD schema, you can use all of rfc2307 without the need for the objectclassed which define them. Just add the attributes. But then nslcd doesn't see them (and, yes, I removed the filters you talked about in your previous message, I will worry later about sasl): If nslcd needs the posix objectclasses, then that is their bug, windows does not use them so Samba 4 doesn't either. pagesize 1000 referrals off map passwd homeDirectory UnixHomeDirectory map passwd uid samAccountName uid nslcd gid ldap uri ldap://127.0.0.1:389 base cn=Users,dc=wetron,dc=es #also tried dc=wetron,dc=es binddn cn=nslcd-connect,cn=Users,dc=wetron,dc=es bindpw --- Bye Have you tried 'uri ldap://:389 ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 27/08/13 20:46, En/na steve ha escrit: > On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote: > >> Do posixAccount/posixGroup >> objectClasses have to be there normally? > > No. With the AD schema, you can use all of rfc2307 without the need for > the objectclassed which define them. Just add the attributes. But then nslcd doesn't see them (and, yes, I removed the filters you talked about in your previous message, I will worry later about sasl): pagesize 1000 referrals off map passwd homeDirectory UnixHomeDirectory map passwd uid samAccountName uid nslcd gid ldap uri ldap://127.0.0.1:389 base cn=Users,dc=wetron,dc=es #also tried dc=wetron,dc=es binddn cn=nslcd-connect,cn=Users,dc=wetron,dc=es bindpw --- Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote: > Do posixAccount/posixGroup > objectClasses have to be there normally? No. With the AD schema, you can use all of rfc2307 without the need for the objectclassed which define them. Just add the attributes. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba