[Samba] objectClass:posixAccount missing
Rowland Penny
rowlandpenny at googlemail.com
Fri Aug 30 09:05:27 MDT 2013
On 30/08/13 15:48, Luca Olivetti wrote:
> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>
>> OK, try this sssd.conf that I have altered for your setup, it is based
>> on the sssd.conf on the machine that I am typing this on and it works,
>> you just need the krb5.keytab that I told you how to create earlier.
> That was
>
> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> Administrator
>
> yes?
Correct, though I do not understand why you are using the full path to
samba-tool
> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> trying to select the most appropriate principal from keytab
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching template.wetron.es at WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching TEMPLATE$@WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching host/template.wetron.es at WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> Selected principal: dept-66f575a885$@WETRON.ES
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
> name is: [dept-66f575a885$@WETRON.ES]
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
> keytab [default]
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
> canonicalize principals
> [[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
> response for result [0]
> [[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
> successfully
> [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
> finished
> [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
> [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
> [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
> mech: GSSAPI, user: (null)
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
> (-2)[Local error]
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
> message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Server not found in
> Kerberos database)]
>
Where did you get samba4 from, did you compile it yourself? what
version? what OS are you using, if you did compile it yourself, what
packages did you install before compiling.
> Note that I get the last error even if I add
>
> ldap_sasl_authid = Administrator
>
> in sssd.conf
The sssd.conf I supplied is a known working one, all I changed is the
domain name and server address from mine.
> (Of course in that case I don't get the "No principal matching..."
> messages but the outcome is the same).
>
> I suppose there is some additional step to perform (apart from
> extracting the keytab).
>
>
> Bye
You could try stopping sssd and then remove the sssd databases: rm -f
/var/lib/sss/db/* (this is on Ubuntu)
All I do is:
Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator
Install sssd sssd-tools via package manager
alter /etc/sssd/sssd.conf as per the one I supplied
remove the sssd databases
start sssd
It should now work, provided that the uidNumber, gidNumber, etc are in
each users DN, you do not need the posix objectClasses.
Rowland
More information about the samba
mailing list