[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Denis Cardon denis.cardon at tranquil-it-systems.fr
Thu Dec 19 11:08:43 MST 2013 

Hi Cyril,

...snip...
>>
>>
>
> I made an error on :
> ldap_sasl_authid, I forget the $ sign
> ad_hostname, I use the server name instead of workstation's one
>
> But it still not working.
> But I have more information from sssd's log as I use debug_level = 9.
>
> May be an interesting one :
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
> select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]] [find_principal_in_keytab]
> (0x0020): krb5_kt_start_seq_get failed.
> (Thu Dec 19 18:47:56 2013)
> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable
> principal found in keytab
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
> (0x0010): fatal error initializing data providers

there is/was a bug in sssd initialisation where the ldap_sasl_authid has 
to be in the same case letter by letter as the entry in the keytab (even 
if you have mix case). I think the kerberos entry should be case insentive.

About another bug earlier in the thread about having no provider or 
something like this, it is probably an error about missing sasl/ldap 
library. Those libraries are not required for sssd so they are not 
always in dependencies in packaging. Here are the entries we have in our 
in-house sssd package : 
libsasl2-modules-ldap,libsasl2-modules-gssapi-mit,libsasl2-2,libldap-2.4-2

Hope this help,

Denis



>
> There's an issue with kerberos.
>
> The keytab have to be local ?
> Or does the system use the server one ?
>
> Cyril
>
>
>
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list