[Samba] objectClass:posixAccount missing

Luca Olivetti luca at wetron.es
Fri Aug 30 10:42:46 MDT 2013 

Al 30/08/13 18:15, En/na steve ha escrit:
> On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
>> On 30/08/13 15:48, Luca Olivetti wrote:
>>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>>>
>>>> OK, try this sssd.conf that I have altered for your setup, it is based
>>>> on the sssd.conf on the machine that I am typing this on and it works,
>>>> you just need the krb5.keytab that I told you how to create earlier.
>>> That was
>>>
>>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
>>> Administrator
>>>
>>
> 
> Hi
> This command dumps the _whole_ of the database to the keytab, so you
> must choose which key you are going to use for:
> ldap_sasl_authid

Oops, I was just following instructions :-/
I promise that, when everything is working, I'll read all the relevant
manpages (I usually do it _before_ blindly typing what's been suggested,
but...)
;-)

> 
> If you really do need al the keys there then could you send us a
> santised dump of the keytab so we can decide a good key to use? And more
> importantly one which is definitely present?
> 
> klist -k /etc/krb5.keytab
> 
> It is generally recommended to only dump the keys you need. 

Which it does with the --principal option, yes?
(but, as I just learned, each command *adds* to the keytab, so I have to
delete the file first).
BTW, if I use  --principal=nslcd-connect it is listed 3 times:

# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 nslcd-connect at WETRON.ES
   1 nslcd-connect at WETRON.ES
   1 nslcd-connect at WETRON.ES

> 
> Have you dumped the Administrator key to the keytab?  If it isn't in the
> keytab it's not going to find a match either. Why not simply choose
> something which you _do_ have?
> 
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = something.you.do.have.in.the.keytab
> ldap_krb5_keytab = /etc/krb5.keytab

Again, I was following suggestions, anyway, both with -U and with
--principal=nslcd-connect I was using an ldap_sasl_authid that was in
the keytab (as per keytab -k), but the error is the same:

[sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: GSSAPI, user: nslcd-connect
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Server not found in
Kerberos database)]


> HTH to get us closer.

I cannot thank you enough, but I feel I'm not getting any closer :-(

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

More information about the samba mailing list