[Samba] objectClass:posixAccount missing

steve steve at steve-ss.com
Fri Aug 30 10:15:57 MDT 2013 

On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
> On 30/08/13 15:48, Luca Olivetti wrote:
> > Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
> >
> >> OK, try this sssd.conf that I have altered for your setup, it is based
> >> on the sssd.conf on the machine that I am typing this on and it works,
> >> you just need the krb5.keytab that I told you how to create earlier.
> > That was
> >
> > /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> > Administrator
> >
> 

Hi
This command dumps the _whole_ of the database to the keytab, so you
must choose which key you are going to use for:
ldap_sasl_authid

If you really do need al the keys there then could you send us a
santised dump of the keytab so we can decide a good key to use? And more
importantly one which is definitely present?

klist -k /etc/krb5.keytab

It is generally recommended to only dump the keys you need. 

> > [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> > trying to select the most appropriate principal from keytab
> > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> > principal matching template.wetron.es at WETRON.ES found in keytab.
> > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> > principal matching TEMPLATE$@WETRON.ES found in keytab.
> > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> > principal matching host/template.wetron.es at WETRON.ES found in keytab.
> > [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> > Selected principal: dept-66f575a885$@WETRON.ES
> > [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
> > name is: [dept-66f575a885$@WETRON.ES]
> > [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
> > keytab [default]
> > [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
> > canonicalize principals
> > [[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
> > response for result [0]
> > [[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
> > successfully
> > [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
> > finished
> > [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
> > [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
> > [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
> > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
> > mech: GSSAPI, user: (null)
> > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
> > (-2)[Local error]
> > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
> > message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> > failure.  Minor code may provide more information (Server not found in
> > Kerberos database)]
> >
> Where did you get samba4 from, did you compile it yourself? what 
> version? what OS are you using, if you did compile it yourself, what 
> packages did you install before compiling.
> 
> > Note that I get the last error even if I add
> >
> > ldap_sasl_authid = Administrator
> >

Have you dumped the Administrator key to the keytab?  If it isn't in the
keytab it's not going to find a match either. Why not simply choose
something which you _do_ have?

ldap_sasl_mech = gssapi
ldap_sasl_authid = something.you.do.have.in.the.keytab
ldap_krb5_keytab = /etc/krb5.keytab

HTH to get us closer.
Cheers,
Steve

More information about the samba mailing list