[Samba] sssd + samba4 not working (yet)

Kenneth Westelinck kenneth.westelinck at gmail.com
Wed Feb 19 14:17:58 MST 2014 

While still trying to compile a newer version of sssd, I started to read
parts of the sssd documentation. I found this:
---------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<----------

f using SASL/GSSAPI to bind to AD also test that the keytab is working
properly:

*klist -ke*

*kinit -k CLIENT$@AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>*

If you generated your keytab with a different createupn argument, it's
possible this won't work and the following works instead. This is
absolutely fine as far as sssd is concerned, and you can instead generate a
ticket for the upn you have created:

*kinit -k -t /etc/krb5.keytab 'nfs/client.ad.example.com at AD.EXAMPLE.COM
<http://AD.EXAMPLE.COM>'*

Now using this credential you've just created try fetching data from the
server with *ldapsearch* (in case of issues make sure
*/etc/openldap/ldap.conf* does not contain any unwanted settings):

*/usr/bin/ldapsearch -H ldap://server.ad.example.com/
<http://server.ad.example.com/> -Y GSSAPI -N -b "dc=ad,dc=example,dc=com"
"(&(objectClass=user)(sAMAccountName=aduser))"*

By using the credential from the keytab, you've verified that this
credential has sufficient rights to retrieve user information.

After both *kinit* and *ldapsearch* work properly proceed to actual SSSD
configuration.
---------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<----------
In my case this translates to:
root at bubba3-one:~# kinit -k -t /etc/krb5.sssd.keytab
'bubba3-one$@EARTH.LOCAL'
root at bubba3-one:~# ldapsearch -H ldap://bubba3-one.earth.local/ -Y GSSAPI
-N -b "dc=earth,dc=local" "(&(objectClass=user)(sAMAccountName=kenneth))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Server
not found in Kerberos database)
root at bubba3-one:~#

tcpdump tells me this:
...
22:10:27.701218 IP buba3-one.earth.local.48796 >
buba3-one.earth.local.domain: 34430+ SRV?
_kerberos-master._udp.EARTH.LOCAL. (51)
22:10:27.701862 IP buba3-one.earth.local.domain >
buba3-one.earth.local.48796: 34430 NXDomain* 0/1/0 (104)
22:10:27.702890 IP buba3-one.earth.local.57167 >
buba3-one.earth.local.domain: 57336+ SRV?
_kerberos-master._tcp.EARTH.LOCAL. (51)
22:10:27.703696 IP buba3-one.earth.local.domain >
buba3-one.earth.local.57167: 57336 NXDomain* 0/1/0 (104)
22:10:27.706413 IP buba3-one.earth.local.60088 >
buba3-one.earth.local.ldap: Flags [P.], seq 1:8, ack 1, win 1025, options
[nop,nop,TS val 20922020 ecr 20922002], length 7
22:10:27.706477 IP buba3-one.earth.local.ldap >
buba3-one.earth.local.60088: Flags [.], ack 8, win 1024, options
[nop,nop,TS val 20922020 ecr 20922020], length 0
22:10:27.707236 IP buba3-one.earth.local.60088 >
buba3-one.earth.local.ldap: Flags [F.], seq 8, ack 1, win 1025, options
[nop,nop,TS val 20922020 ecr 20922020], length 0
22:10:27.707426 IP buba3-one.earth.local.ldap >
buba3-one.earth.local.60088: Flags [F.], seq 1, ack 9, win 1024, options
[nop,nop,TS val 20922020 ecr 20922020], length 0
22:10:27.707474 IP buba3-one.earth.local.60088 >
buba3-one.earth.local.ldap: Flags [.], ack 2, win 1025, options [nop,nop,TS
val 20922020 ecr 20922020], length 0
22:10:37.989185 IP buba3-one.earth.local.ldap >
sonia.1.168.192.in-addr.arpa.39196: Flags [P.], seq 1035:1216, ack 404, win
1726, options [nop,nop,TS val 20923049 ecr 224407943], length 181
22:10:37.989714 IP sonia.1.168.192.in-addr.arpa.39196 >
buba3-one.earth.local.ldap: Flags [.], ack 1216, win 353, options
[nop,nop,TS val 225308045 ecr 20923049], length 0
22:10:37.989983 IP sonia.1.168.192.in-addr.arpa.39196 >
buba3-one.earth.local.ldap: Flags [P.], seq 404:441, ack 1216, win 353,
options [nop,nop,TS val 225308045 ecr 20923049], length 37
22:10:37.990213 IP sonia.1.168.192.in-addr.arpa.39196 >
buba3-one.earth.local.ldap: Flags [F.], seq 441, ack 1216, win 353, options
[nop,nop,TS val 225308046 ecr 20923049], length 0
22:10:38.023995 IP buba3-one.earth.local.ldap >
sonia.1.168.192.in-addr.arpa.39196: Flags [R.], seq 1216, ack 442, win
1726, options [nop,nop,TS val 20923052 ecr 225308045], length 0

I am not an expert, but I think it means he's searching for
_kerberos_master._udp.EARTH.LOCAL
This one does not exist :(
This one exists though:
root at bubba3-one:~# host -t SRV _kerberos._udp.earth.local
_kerberos._udp.earth.local has SRV record 0 100 88 bubba3-one.earth.local.
root at bubba3-one:~#

These _bla._tcp (or _udp) hostnames are synced during the dnsupdate
process. Syncing _kerberos_master is not part of that sync process.
Since the ldapsearch is not working, I am pretty sure this is the reason
why sssd is failing:

root at bubba3-one:~# sssd -i -d3
(Wed Feb 19 22:15:18:476155 2014) [sssd] [check_file] (0x0020): lstat for
[/var/run/nscd/socket] failed: [2][No such file or directory].
(Wed Feb 19 22:15:18 2014) [sssd] [server_setup] (0x0080): CONFDB:
/var/lib/sss/db/config.ldb
(Wed Feb 19 22:15:18 2014) [sssd] [sbus_new_server] (0x0080): D-BUS Server
listening on
unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=135feef4d0e0b9d7d08b26bb53051ee6
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [server_setup] (0x0080):
CONFDB: /var/lib/sss/db/config.ldb
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_context_init] (0x0080):
Created new fail over context, retry timeout is 30
(Wed Feb 19 22:15:18 2014) [sssd] [monitor_service_init] (0x0080):
Initializing D-BUS Service
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [sbus_new_server] (0x0080):
D-BUS Server listening on
unix:path=/var/lib/sss/pipes/private/sbus-dp_default.3584,guid=d52d8dead3406dd979958e2d53051ee6
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_new_service] (0x0080):
Creating new service 'LDAP'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server] (0x0080):
Adding new server 'bubba3-one.earth.local', to service 'LDAP'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_new_service] (0x0080):
Creating new service 'KERBEROS'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server] (0x0080):
Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server] (0x0080):
Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_new_service] (0x0080):
Creating new service 'KPASSWD'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server] (0x0080):
Adding new server 'bubba3-one.earth.local', to service 'KPASSWD'
(Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [sssm_simple_access_init]
(0x0020): No rules supplied for simple access provider. Access will be
granted for all users.
(Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [be_process_init] (0x0020):
No Session module provided for [default] !!
(Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [be_process_init] (0x0020):
No host info module provided for [default] !!
(Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [main] (0x0020): Backend
provider (default) started!
(Wed Feb 19 22:15:19 2014) [sssd[nss]] [server_setup] (0x0080): (Wed Feb 19
22:15:19 2014) [sssd[pam]] [server_setup] (0x0080): CONFDB:
/var/lib/sss/db/config.ldb
(Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
Initializing D-BUS Service
CONFDB: /var/lib/sss/db/config.ldb
(Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
Initializing D-BUS Service
(Wed Feb 19 22:15:19 2014) [sssd[pam]] [sss_process_init] (0x0020): (Wed
Feb 19 22:15:19 2014) [sssd[nss]] [sss_process_init] (0x0020): Responder
Initialization complete
Responder Initialization complete
(Wed Feb 19 22:15:19 2014) [sssd[nss]] [nss_process_init] (0x0020): NSS
Initialization complete
(Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'LDAP'
(Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.


Any bright ideas. (Sorry if these are all stupid questions ... this stuff
is all very new to me and I think I am getting close :) )
Thanks!


regards,

Kenneth

More information about the samba mailing list