[Samba] objectClass:posixAccount missing

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 30 09:05:27 MDT 2013 

On 30/08/13 15:48, Luca Olivetti wrote:
> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>
>> OK, try this sssd.conf that I have altered for your setup, it is based
>> on the sssd.conf on the machine that I am typing this on and it works,
>> you just need the krb5.keytab that I told you how to create earlier.
> That was
>
> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> Administrator
>
> yes?
Correct, though I do not understand why you are using the full path to 
samba-tool

> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> trying to select the most appropriate principal from keytab
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching template.wetron.es at WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching TEMPLATE$@WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching host/template.wetron.es at WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> Selected principal: dept-66f575a885$@WETRON.ES
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
> name is: [dept-66f575a885$@WETRON.ES]
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
> keytab [default]
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
> canonicalize principals
> [[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
> response for result [0]
> [[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
> successfully
> [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
> finished
> [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
> [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
> [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
> mech: GSSAPI, user: (null)
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
> (-2)[Local error]
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
> message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Server not found in
> Kerberos database)]
>
Where did you get samba4 from, did you compile it yourself? what 
version? what OS are you using, if you did compile it yourself, what 
packages did you install before compiling.

> Note that I get the last error even if I add
>
> ldap_sasl_authid = Administrator
>
> in sssd.conf
The sssd.conf I supplied is a known working one, all I changed is the 
domain name and server address from mine.

> (Of course in that case I don't get the "No principal matching..."
> messages but the outcome is the same).
>
> I suppose there is some additional step to perform (apart from
> extracting the keytab).
>
>
> Bye
You could try stopping sssd and then remove the sssd databases: rm -f 
/var/lib/sss/db/* (this is on Ubuntu)

All I do is:
Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U 
Administrator
Install sssd sssd-tools via package manager
alter /etc/sssd/sssd.conf as per the one I supplied
remove the sssd databases
start sssd

It should now work, provided that the uidNumber, gidNumber, etc are in 
each users DN, you do not need the posix objectClasses.

Rowland

More information about the samba mailing list