[Samba] objectClass:posixAccount missing

steve steve at steve-ss.com
Fri Aug 30 10:54:34 MDT 2013 

On Fri, 2013-08-30 at 18:42 +0200, Luca Olivetti wrote:
> Al 30/08/13 18:15, En/na steve ha escrit:
> > On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
> >> On 30/08/13 15:48, Luca Olivetti wrote:
> >>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
> >>>
> >>>> OK, try this sssd.conf that I have altered for your setup, it is based
> >>>> on the sssd.conf on the machine that I am typing this on and it works,
> >>>> you just need the krb5.keytab that I told you how to create earlier.
> >>> That was
> >>>
> >>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> >>> Administrator
> >>>
> >>
> > 
> > Hi
> > This command dumps the _whole_ of the database to the keytab, so you
> > must choose which key you are going to use for:
> > ldap_sasl_authid
> 
> Oops, I was just following instructions :-/
> I promise that, when everything is working, I'll read all the relevant
> manpages (I usually do it _before_ blindly typing what's been suggested,
> but...)
> ;-)
> 
> > 
> > If you really do need al the keys there then could you send us a
> > santised dump of the keytab so we can decide a good key to use? And more
> > importantly one which is definitely present?
> > 
> > klist -k /etc/krb5.keytab
> > 
> > It is generally recommended to only dump the keys you need. 
> 
> Which it does with the --principal option, yes?
> (but, as I just learned, each command *adds* to the keytab, so I have to
> delete the file first).
> BTW, if I use  --principal=nslcd-connect it is listed 3 times:
> 
> # klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 nslcd-connect at WETRON.ES
>    1 nslcd-connect at WETRON.ES
>    1 nslcd-connect at WETRON.ES
> 

Fine. We can now say that nscld is both in the keytab and in the databas
on the DC (otherwise it wouldn't have dumped the key there)
You have 3 entries corresponding to different encryption types. Use:
klist -ke 
to see which they are. You don't need to know though.
> > 
> > Have you dumped the Administrator key to the keytab?  If it isn't in the
> > keytab it's not going to find a match either. Why not simply choose
> > something which you _do_ have?
> > 
> > ldap_sasl_mech = gssapi
> > ldap_sasl_authid = something.you.do.have.in.the.keytab
> > ldap_krb5_keytab = /etc/krb5.keytab
> 
> Again, I was following suggestions, anyway, both with -U and with
> --principal=nslcd-connect I was using an ldap_sasl_authid that was in
> the keytab (as per keytab -k), but the error is the same:
> 
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
> mech: GSSAPI, user: nslcd-connect
> [sssd[nss]] [client_recv] (0x0200): Client disconnected!
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
> (-2)[Local error]
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
> message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Server not found in
> Kerberos database)]
> 
> 
> > HTH to get us closer.
> 
> I cannot thank you enough, but I feel I'm not getting any closer :-(

Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:

ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-connect at WETRON.ES
ldap_krb5_keytab = /etc/krb5.keytab

(note, I think you had a different keytab in an older post. Lose it.)

Next, can you resolve the kerberos SRV record:
host -t SRV _kerberos._udp.dc1.wetron.es.

What do you have for /etc/krb5.conf

What does:
sssd --version 
give?

Cheers,
Steve

More information about the samba mailing list