[Samba] sssd + samba4 not working (yet)

Peter Serbe peter at serbe.ch
Wed Feb 19 01:24:37 MST 2014 

Dear all, 

I have exactly the same issue here. Also running Debian, but Jessie, and hence 

root at ulysses:/etc# sssd --version
1.11.3

I think, that I am missing the correct PAM plugin. Can anyone point out, how 
to check this on Debian? 

Best regards
Peter



Kenneth, 

You could do a backport of the testing package, if You want to have the 
newer version of the Jessie package. I haven't done it by myself, but I 
hear that it should be pretty easy. Definitely easier than getting sssd 
up and running. ;-)



Kenneth Westelinck schrieb am 19.02.2014 08:07:

> All,
> 
> Keytab should be fine, as I used the instructions from the wiki to export
> it:
> root at bubba3-one:/etc# klist -k krb5.sssd.keytab
> Keytab name: FILE:krb5.sssd.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>   1 bubba3-one$@EARTH.LOCAL
>   1 bubba3-one$@EARTH.LOCAL
>   1 bubba3-one$@EARTH.LOCAL
> root at bubba3-one:/etc#
> 
> getent passwd Administrator doesn't return anything
> 
> I guess I have the uid number stored:
> root at bubba3-one:/etc# wbinfo --user-info Administrator
> EARTH\Administrator:*:0:100::/home/EARTH/Administrator:/bin/false
> root at bubba3-one:/etc#
> 
> The reason I don't use a recent version of sssd is the fact the box is
> running debian and debian only comes with this old version.
> I guess I could compile the most recent version. How could this help me
> better than the older version?
> 
> 
> regards,
> 
> Kenneth
> 
> 
> On Tue, Feb 18, 2014 at 10:53 PM, Steve <steve at steve-ss.com> wrote:
> 
>> Do you have the machine key in the correct keytab? Why not use a recent
>> version of sssd and use the proper ad backend? It's much easier if you use
>> AD. Does getent passwd <user> return anything? Do you have uidNumber stored
>> in AD?
>> Cheers,
>> Steve
>>
>> Kenneth Westelinck <kenneth.westelinck at gmail.com> wrote:
>>
>> >Dear list,
>> >
>> >It has been a true adventure setting up a samba4 ad with a bind9 backend.
>> >From what I can see, everything is more or less working:
>> >
>> > --> samba itself:
>> >root at bubba3-one:/etc/sssd# smbclient //localhost/netlogon -UAdministrator
>> >-c 'ls'
>> >Enter Administrator's password:
>> >Domain=[EARTH] OS=[Unix] Server=[Samba 4.1.4-SerNet-Debian-7.wheezy]
>> >  .                                   D        0  Mon Feb 17 17:58:42 2014
>> >  ..                                  D        0  Mon Feb 17 17:59:46 2014
>> >
>> >                40317 blocks of size 262144. 29196 blocks available
>> >root at bubba3-one:/etc/sssd#
>> >
>> > --> kerberos
>> >root at bubba3-one:/etc/sssd# kinit administrator
>> >Password for administrator at EARTH.LOCAL:
>> >root at bubba3-one:/etc/sssd#
>> >
>> > --> dns
>> >root at bubba3-one:/etc/sssd# host -t SRV _ldap._tcp.earth.local
>> >_ldap._tcp.earth.local has SRV record 0 100 389 bubba3-one.earth.local.
>> >root at bubba3-one:/etc/sssd# host -t SRV _kerberos._udp.earth.local
>> >_kerberos._udp.earth.local has SRV record 0 100 88 bubba3-one.earth.local.
>> >root at bubba3-one:/etc/sssd# host -t A bubba3-one.earth.local
>> >bubba3-one.earth.local has address 192.168.1.1
>> >root at bubba3-one:/etc/sssd#
>> >
>> >I am now trying to settup sssd using
>> >
>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>> >
>> >sssd seems to start fine (no errors in the log and the daemons are
>> >running), but getent passwd and getent groups returns nothing. Below is my
>> >config:
>> >
>> >[sssd]
>> >services = nss, pam
>> >config_file_version = 2
>> >domains = default
>> >
>> >[nss]
>> >filter_groups = root
>> >filter_users = root
>> >reconnection_retries = 3
>> >
>> >[pam]
>> >
>> >[domain/default]
>> >ad_hostname = bubba3-one.earth.local
>> >ad_server = bubba3-one.earth.local
>> >ad_domain = earth.local
>> >
>> >ldap_schema = rfc2307bis
>> >id_provider = ldap
>> >access_provider = simple
>> >
>> ># on large directories, you may want to disable enumeration for
>> performance
>> >reasons
>> >enumerate = true
>> >
>> >auth_provider = krb5
>> >chpass_provider = krb5
>> >ldap_sasl_mech = gssapi
>> >ldap_sasl_authid = bubba3-one$@EARTH.LOCAL
>> >krb5_realm = EARTH.LOCAL
>> >krb5_server = bubba3-one.earth.local
>> >krb5_kpasswd = bubba3-one.earth.local
>> >ldap_krb5_keytab = /etc/krb5.sssd.keytab
>> >ldap_krb5_init_creds = true
>> >
>> >ldap_referrals = false
>> >ldap_uri = ldap://bubba3-one.earth.local
>> >ldap_search_base = dc=earth,dc=local
>> >
>> >dyndns_update=false
>> >
>> >ldap_id_mapping=false
>> >
>> >ldap_user_object_class = user
>> >ldap_user_name = samAccountName
>> >ldap_user_uid_number = uidNumber
>> >ldap_user_gid_number = gidNumber
>> >ldap_user_home_directory = unixHomeDirectory
>> >ldap_user_shell = loginShell
>> >
>> >ldap_group_object_class = group
>> >ldap_group_name = cn
>> >ldap_group_member = member
>> >
>> >Any idea what I am missing? Can I enable some debugging somewhere to see
>> >what I am doing wrong?
>> >
>> >Many thanks in advance.
>> >
>> >
>> >regards,
>> >
>> >Kenneth
>> >
>> >P.S.:
>> >- OS is Debian Wheezy on a B3
>> >- Samba is 4.1.4 compiled from sernet
>> >- BIND 9.8.4-rpz2+rl005.12-P1
>> >- sssd 1.8.4-2
>> >--
>> >To unsubscribe from this list go to the following URL and read the
>> >instructions:  https://lists.samba.org/mailman/options/samba
>>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list