[Samba] sssd + samba4 not working (yet)

Kenneth Westelinck kenneth.westelinck at gmail.com
Wed Feb 19 00:07:46 MST 2014 

All,

Keytab should be fine, as I used the instructions from the wiki to export
it:
root at bubba3-one:/etc# klist -k krb5.sssd.keytab
Keytab name: FILE:krb5.sssd.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 bubba3-one$@EARTH.LOCAL
   1 bubba3-one$@EARTH.LOCAL
   1 bubba3-one$@EARTH.LOCAL
root at bubba3-one:/etc#

getent passwd Administrator doesn't return anything

I guess I have the uid number stored:
root at bubba3-one:/etc# wbinfo --user-info Administrator
EARTH\Administrator:*:0:100::/home/EARTH/Administrator:/bin/false
root at bubba3-one:/etc#

The reason I don't use a recent version of sssd is the fact the box is
running debian and debian only comes with this old version.
I guess I could compile the most recent version. How could this help me
better than the older version?


regards,

Kenneth


On Tue, Feb 18, 2014 at 10:53 PM, Steve <steve at steve-ss.com> wrote:

> Do you have the machine key in the correct keytab? Why not use a recent
> version of sssd and use the proper ad backend? It's much easier if you use
> AD. Does getent passwd <user> return anything? Do you have uidNumber stored
> in AD?
> Cheers,
> Steve
>
> Kenneth Westelinck <kenneth.westelinck at gmail.com> wrote:
>
> >Dear list,
> >
> >It has been a true adventure setting up a samba4 ad with a bind9 backend.
> >From what I can see, everything is more or less working:
> >
> >--> samba itself:
> >root at bubba3-one:/etc/sssd# smbclient //localhost/netlogon -UAdministrator
> >-c 'ls'
> >Enter Administrator's password:
> >Domain=[EARTH] OS=[Unix] Server=[Samba 4.1.4-SerNet-Debian-7.wheezy]
> >  .                                   D        0  Mon Feb 17 17:58:42 2014
> >  ..                                  D        0  Mon Feb 17 17:59:46 2014
> >
> >                40317 blocks of size 262144. 29196 blocks available
> >root at bubba3-one:/etc/sssd#
> >
> >--> kerberos
> >root at bubba3-one:/etc/sssd# kinit administrator
> >Password for administrator at EARTH.LOCAL:
> >root at bubba3-one:/etc/sssd#
> >
> >--> dns
> >root at bubba3-one:/etc/sssd# host -t SRV _ldap._tcp.earth.local
> >_ldap._tcp.earth.local has SRV record 0 100 389 bubba3-one.earth.local.
> >root at bubba3-one:/etc/sssd# host -t SRV _kerberos._udp.earth.local
> >_kerberos._udp.earth.local has SRV record 0 100 88 bubba3-one.earth.local.
> >root at bubba3-one:/etc/sssd# host -t A bubba3-one.earth.local
> >bubba3-one.earth.local has address 192.168.1.1
> >root at bubba3-one:/etc/sssd#
> >
> >I am now trying to settup sssd using
> >
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
> >
> >sssd seems to start fine (no errors in the log and the daemons are
> >running), but getent passwd and getent groups returns nothing. Below is my
> >config:
> >
> >[sssd]
> >services = nss, pam
> >config_file_version = 2
> >domains = default
> >
> >[nss]
> >filter_groups = root
> >filter_users = root
> >reconnection_retries = 3
> >
> >[pam]
> >
> >[domain/default]
> >ad_hostname = bubba3-one.earth.local
> >ad_server = bubba3-one.earth.local
> >ad_domain = earth.local
> >
> >ldap_schema = rfc2307bis
> >id_provider = ldap
> >access_provider = simple
> >
> ># on large directories, you may want to disable enumeration for
> performance
> >reasons
> >enumerate = true
> >
> >auth_provider = krb5
> >chpass_provider = krb5
> >ldap_sasl_mech = gssapi
> >ldap_sasl_authid = bubba3-one$@EARTH.LOCAL
> >krb5_realm = EARTH.LOCAL
> >krb5_server = bubba3-one.earth.local
> >krb5_kpasswd = bubba3-one.earth.local
> >ldap_krb5_keytab = /etc/krb5.sssd.keytab
> >ldap_krb5_init_creds = true
> >
> >ldap_referrals = false
> >ldap_uri = ldap://bubba3-one.earth.local
> >ldap_search_base = dc=earth,dc=local
> >
> >dyndns_update=false
> >
> >ldap_id_mapping=false
> >
> >ldap_user_object_class = user
> >ldap_user_name = samAccountName
> >ldap_user_uid_number = uidNumber
> >ldap_user_gid_number = gidNumber
> >ldap_user_home_directory = unixHomeDirectory
> >ldap_user_shell = loginShell
> >
> >ldap_group_object_class = group
> >ldap_group_name = cn
> >ldap_group_member = member
> >
> >Any idea what I am missing? Can I enable some debugging somewhere to see
> >what I am doing wrong?
> >
> >Many thanks in advance.
> >
> >
> >regards,
> >
> >Kenneth
> >
> >P.S.:
> >- OS is Debian Wheezy on a B3
> >- Samba is 4.1.4 compiled from sernet
> >- BIND 9.8.4-rpz2+rl005.12-P1
> >- sssd 1.8.4-2
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list