[Samba] objectClass:posixAccount missing

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 30 10:45:59 MDT 2013

On 30/08/13 17:15, steve wrote:
> On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
>> On 30/08/13 15:48, Luca Olivetti wrote:
>>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>>>> OK, try this sssd.conf that I have altered for your setup, it is based
>>>> on the sssd.conf on the machine that I am typing this on and it works,
>>>> you just need the krb5.keytab that I told you how to create earlier.
>>> That was
>>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
>>> Administrator
> Hi
> This command dumps the _whole_ of the database to the keytab, so you
> must choose which key you are going to use for:
> ldap_sasl_authid
> If you really do need al the keys there then could you send us a
> santised dump of the keytab so we can decide a good key to use? And more
> importantly one which is definitely present?
> klist -k /etc/krb5.keytab
> It is generally recommended to only dump the keys you need.
Hi Steve, lets just get something to work for the OP first.

>>> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
>>> trying to select the most appropriate principal from keytab
>>> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
>>> principal matching template.wetron.es at WETRON.ES found in keytab.
>>> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
>>> principal matching TEMPLATE$@WETRON.ES found in keytab.
>>> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
>>> principal matching host/template.wetron.es at WETRON.ES found in keytab.
>>> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
>>> Selected principal: dept-66f575a885$@WETRON.ES
>>> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
>>> name is: [dept-66f575a885$@WETRON.ES]
>>> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
>>> keytab [default]
>>> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
>>> canonicalize principals
>>> [[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
>>> response for result [0]
>>> [[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
>>> successfully
>>> [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
>>> finished
>>> [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
>>> [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
>>> [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
>>> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
>>> mech: GSSAPI, user: (null)
>>> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
>>> (-2)[Local error]
>>> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
>>> message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
>>> failure.  Minor code may provide more information (Server not found in
>>> Kerberos database)]
>> Where did you get samba4 from, did you compile it yourself? what
>> version? what OS are you using, if you did compile it yourself, what
>> packages did you install before compiling.
>>> Note that I get the last error even if I add
>>> ldap_sasl_authid = Administrator
> Have you dumped the Administrator key to the keytab?  If it isn't in the
> keytab it's not going to find a match either. Why not simply choose
> something which you _do_ have?
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = something.you.do.have.in.the.keytab
> ldap_krb5_keytab = /etc/krb5.keytab
> HTH to get us closer.
> Cheers,
> Steve

More information about the samba mailing list