[Samba] objectClass:posixAccount missing

Rowland Penny rowlandpenny at googlemail.com
Thu Aug 29 13:02:53 MDT 2013 

On 29/08/13 19:17, Luca Olivetti wrote:
> Al 29/08/13 12:06, En/na steve ha escrit:
>
>> We have sssd covered here:
>> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
> Well, that's doesn't seem to be complete (at least to a kerberos newbie
> like me).
>
> For example, it's missing the step to create /etc/krb5.keytab
> I used
>
> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab
> --principal=HP$
>
> but then sssd complains that
>
> [[sssd[ldap_child[2300]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
> name is: [HP$@WETRON.ES]
> [[sssd[ldap_child[2300]]]] [ldap_child_get_tgt_sync] (0x0100): Using
> keytab [/etc/krb5.keytab]
> [[sssd[ldap_child[2300]]]] [ldap_child_get_tgt_sync] (0x0100): Will
> canonicalize principals
> [[sssd[ldap_child[2300]]]] [prepare_response] (0x0400): Building
> response for result [0]
> [[sssd[ldap_child[2300]]]] [main] (0x0400): ldap_child completed
> successfully
> [sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client
> finished
> [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
> [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615]
> [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
> [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech:
> gssapi, user: HP$
> [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
> (-2)[Local error]
> [sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message:
> [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Server not found in Kerberos
> database)]
>
>
> BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes
> locally built samba to not start anymore (since there is some
> conflicting library and samba will use the "bad" library in /usr/lib64
> instead of the one under /usr/local/samba), so, in my specific case, I
> cannot really say 'you'll not believe how simple this is' ;-)
>
> nslcd seems simpler (at least I got it working)
>
>
> Bye
Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U 
Administrator'

Rowland

More information about the samba mailing list