[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Fri Dec 20 02:18:58 MST 2013


Hi Denis,

Le 19/12/2013 19:08, Denis Cardon a écrit :
> Hi Cyril,
>
> ...snip...
>>>
>>>
>>
>> I made an error on :
>> ldap_sasl_authid, I forget the $ sign
>> ad_hostname, I use the server name instead of workstation's one
>>
>> But it still not working.
>> But I have more information from sssd's log as I use debug_level = 9.
>>
>> May be an interesting one :
>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>> select_principal_from_keytab] (0x0200): trying to select the most
>> appropriate principal from keytab
>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]] [find_principal_in_keytab]
>> (0x0020): krb5_kt_start_seq_get failed.
>> (Thu Dec 19 18:47:56 2013)
>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable
>> principal found in keytab
>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>> (0x0010): fatal error initializing data providers
>
> there is/was a bug in sssd initialisation where the ldap_sasl_authid has
> to be in the same case letter by letter as the entry in the keytab (even
> if you have mix case). I think the kerberos entry should be case insentive.
>
> About another bug earlier in the thread about having no provider or
> something like this, it is probably an error about missing sasl/ldap
> library. Those libraries are not required for sssd so they are not
> always in dependencies in packaging. Here are the entries we have in our
> in-house sssd package :
> libsasl2-modules-ldap,libsasl2-modules-gssapi-mit,libsasl2-2,libldap-2.4-2
>
> Hope this help,
>
> Denis
>

I change the ldap_sasl_authid to take care of the case letter.
And I check sssd package ... there were already all installed.

but there's still an error about kerberos : "No suitable principal found 
in keytab"

Thanks Denis !
Cyril




More information about the samba mailing list