[Samba] replication error?

Steve Thompson smt at vgersoft.com
Fri Aug 31 06:08:41 MDT 2012


On Fri, 31 Aug 2012, Andrew Bartlett wrote:

> On Thu, 2012-08-30 at 09:33 -0400, Steve Thompson wrote:
>> On Wed, 29 Aug 2012, Steve Thompson wrote:
>>
>>> On Wed, 29 Aug 2012, Steve Thompson wrote:
>>> More information. If I have two DC's, dc1 and dc2, and I point ldap_uri and
>>> krb5_server in sssd.conf directly at dc1, it always works. If I point either
>>> of those parameters at dc2, it always fails.
>>
>> Well, this was a red herring. Wait long enough (overnight) and it turns
>> out that dc1 stops working as well (dc2 never works). This stuff is
>> unusable.
>
> Does this configuration of SSSD work any differently against a windows
> domain?  (Trial versions of windows server can be downloaded).

I do not have the resources available to try this against a windows 
domain, and I don't care very much for Windows in any event, but as I 
mentioned before, it works perfectly against a single samba4 DC. It is 
only when I add a second DC that problems occur. BTW, a "samba-tool 
demote" does not work to reduce to one DC; I've tried it many times (but 
of course this is probably a separate issue).

> These issues appear to be client-side (using the wrong ticket, or
> attempting to do krb5 against a name mapping to more than one server),
> but with so little detail it is hard to say with clarity.

I included plenty of detail in my earlier messages on the subject, and 
while I can see why it looks client-side, I note that I can successfully 
do a GSSAPI bind and a kinit with /etc/krb5.keytab when getent is failing. 
I've tried several different configurations with different clients and 
servers, and they all work with one DC and they all fail when there is 
more than one DC, all with no changes on the client side. A windows PC 
that is bound to the samba4 domain does not work either when getent fails, 
so I don't think that it is sssd.

I appreciate your input. I like what I've seen of samba4 so far, except 
possibly the diddling with DNS, but this has me stumped.

Steve
-- 
----------------------------------------------------------------------------
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,282 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------


More information about the samba mailing list