[Samba] objectClass:posixAccount missing

Luca Olivetti luca at wetron.es
Fri Aug 30 08:48:21 MDT 2013

Al 30/08/13 11:41, En/na Rowland Penny ha escrit:

> OK, try this sssd.conf that I have altered for your setup, it is based
> on the sssd.conf on the machine that I am typing this on and it works,
> you just need the krb5.keytab that I told you how to create earlier.

That was

/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U


[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
trying to select the most appropriate principal from keytab
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching template.wetron.es at WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching TEMPLATE$@WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching host/template.wetron.es at WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
Selected principal: dept-66f575a885$@WETRON.ES
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [dept-66f575a885$@WETRON.ES]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [default]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
[sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
[sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
[sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: GSSAPI, user: (null)
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Server not found in
Kerberos database)]

Note that I get the last error even if I add

ldap_sasl_authid = Administrator

in sssd.conf

(Of course in that case I don't get the "No principal matching..."
messages but the outcome is the same).

I suppose there is some additional step to perform (apart from
extracting the keytab).

Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

More information about the samba mailing list