[Samba] sssd problems after dc1 is no longer online

mourik jan heupink - merit heupink at merit.unu.edu
Wed Jul 23 13:24:04 MDT 2014


Hi all,

I hope that this request for help will be the last one, for a while to 
come. Today, sernet support helped my sort out our DC mess, and they did 
a great job. However, sssd no longer works, and I hope someone here can 
help out.

We used to have DC1, DC2 and DC3. DC1 was the classic-upgraded, first, 
'original' DC, and had to be shutdown, unfortunately. So only DC2 and 
DC3 remain.

The domain seems to work nicely, however, sssd doesn't find my users 
anymore.

Here is a debug_level 8 log: http://pastebin.com/hRwNjRyh

Could someone tell me where the problem is? I'm guessing this logline is 
not good:

(Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sdap_get_tgt_recv] 
(0x0400): Child responded: 0 
[FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406178284]

But:
root at epo:/var/log/sssd# kinit -k -t /etc/krb5.sssd.keytab 
'EPO$@SAMBA.COMPANY.COM'

root at epo:/var/log/sssd# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: EPO$@SAMBA.COMPANY.COM

Valid starting    Expires           Service principal
23/07/2014 21:03  24/07/2014 07:03 
krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
         renew until 24/07/2014 21:03

Also: kinit heupink, asks for my password, and creates a ticket 
successfully.

So, many things seem to work... But logging on (over ssh or remote 
desktop) does not. Auth.log tells me:
Jul 23 21:04:44 epo sssd_be: canonuserfunc error -7
Jul 23 21:04:44 epo sssd_be: _sasl_plugin_load failed on 
sasl_canonuser_init for plugin: ldapdb
Jul 23 21:04:44 epo sssd_be: GSSAPI Error: Unspecified GSS failure. 
Minor code may provide more information (Server not found in Kerberos 
database)
Jul 23 21:04:47 epo xrdp-sesman: pam_unix(xrdp-sesman:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
user=heupink
Jul 23 21:04:47 epo xrdp-sesman: pam_sss(xrdp-sesman:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
user=heupink
Jul 23 21:04:47 epo xrdp-sesman: pam_sss(xrdp-sesman:auth): received for 
user heupink: 9 (Authentication service cannot retrieve authentication info)

Finally, here is my sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = default

# enable or disable the below
# debug_level = 3
# debug_level = 5
debug_level = 8
[nss]

[pam]

[domain/default]
debug_level = 8

ldap_schema = rfc2307bis
id_provider = ldap
access_provider = simple
ldap_referrals = false
ldap_force_upper_case_realm = true

# on large directories, you may want to disable enumeration for 
performance reasons
# enumerate = true

auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM
krb5_realm = SAMBA.COMPANY.COM
#krb5_server = dc2.samba.company.com, dc3.samba.company.com
krb5_server = x.y.143.15, x.y.143.16
#krb5_kpasswd = dc2.samba.company.com, dc3.samba.company.com
krb5_kpasswd = x.y.143.15, x.y.143.16
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true

ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu

ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell

ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member

I hope this is enough info, and one of the sssd guru's here can assist. 
Again: everything worked while dc1 was online, things stopped working 
when it was taken offline.

Kind regards,
Mourik Jan


More information about the samba mailing list