[Samba] samba4+sssd+centos6

Steve Thompson smt at vgersoft.com
Fri Aug 10 14:51:22 MDT 2012


In need of some help here. I hope I haven't trimmed this too much.

As I mentioned before, I have a CentOS 6.3 system using SSSD (only) bound 
to the samba4 DC as an LDAP server using the following in sssd.conf:

[domain/SAMBA]
 	ldap_default_bind_dn = CN=Administrator,CN=Users,DC=...
 	ldap_default_authtok = <supersecret>
 	ldap_default_authtok_type = password
 	...

and everything works as expected (dns, kinit, passwd, etc are all good). 
Samba is not in use on the client. There are no Windows servers.

To avoid the need to embded the admin password, I have proceeded as 
follows:

* Joined the client to the  domain, creating an appropriate UPN (client is
   using Samba 3.5.10):

 	# kinit Administrator
 	# net ads join <domain> createupn=host/<client>@<REALM> -k

   where <client> is the (short) client hostname, and <REALM> is of course
   the uppercase kerberos realm name. This succeeds. I can see the
   appropriate CN=<client>,CN=Computers,... entry appear in the DC
   database, and the userPrincipalName entry therein is correct.

* On the DC, extract the keytab:

 	# samba-tool domain exportkeytab client.keytab --princ=host/client at REALM

   and this also works. The client.keytab is transferred to the client and
   installed as /etc/krb5.keytab with the proper ownership and permissions.

* On the client, verify the keytab:

 	# klist -k /etc/krb5.keytab
 	Keytab name: WRFILE:/etc/krb5.keytab
 	KVNO Principal
 	--------------------------------------------------------------------------
 	   1 host/<client>@<REALM>
 	   1 host/<client>@<REALM>
 	   1 host/<client>@<REALM>

* On the client, change the three ldap_default_ lines to:

 	ldap_sasl_mech = GSSAPI
 	ldap_sasl_authid = host/<client>@<REALM>

   and restart sssd.

The result: nothing. I can no longer (getent passwd user) see any users 
or groups; basically nothing works. I get this in /var/log/messages:

Aug 10 15:58:47 <client> sssd_be: GSSAPI Error: Unspecified GSS failure.
 	Minor code may provide more information (Server not found in Kerberos
 	database)

and I really do not know what this is trying to tell me, as so far as I 
know the kerberos database is fine. Please, someone give me a clue! TIA,

Steve



More information about the samba mailing list