[Samba] sssd + samba4 not working (yet)
Rowland Penny
rowlandpenny at googlemail.com
Wed Feb 19 15:20:22 MST 2014
On 19/02/14 21:17, Kenneth Westelinck wrote:
> While still trying to compile a newer version of sssd, I started to
> read parts of the sssd documentation. I found this:
> ---------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<----------
>
> f using SASL/GSSAPI to bind to AD also test that the keytab is working
> properly:
>
> /klist -ke/
>
> /kinit -k CLIENT$@AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>/
>
> If you generated your keytab with a different createupn argument, it's
> possible this won't work and the following works instead. This is
> absolutely fine as far as sssd is concerned, and you can instead
> generate a ticket for the upn you have created:
>
> /kinit -k -t /etc/krb5.keytab
> 'nfs/client.ad.example.com at AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>'/
>
> Now using this credential you've just created try fetching data from
> the server with /ldapsearch/ (in case of issues make sure
> //etc/openldap/ldap.conf/ does not contain any unwanted settings):
>
> //usr/bin/ldapsearch -H ldap://server.ad.example.com/
> <http://server.ad.example.com/> -Y GSSAPI -N -b
> "dc=ad,dc=example,dc=com" "(&(objectClass=user)(sAMAccountName=aduser))"/
>
> By using the credential from the keytab, you've verified that this
> credential has sufficient rights to retrieve user information.
>
> After both /kinit/ and /ldapsearch/ work properly proceed to actual
> SSSD configuration.
>
> ---------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<-------------------------8<----------
> In my case this translates to:
> root at bubba3-one:~# kinit -k -t /etc/krb5.sssd.keytab
> 'bubba3-one$@EARTH.LOCAL'
> root at bubba3-one:~# ldapsearch -H ldap://bubba3-one.earth.local/ -Y
> GSSAPI -N -b "dc=earth,dc=local"
> "(&(objectClass=user)(sAMAccountName=kenneth))"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Server not found in Kerberos database)
> root at bubba3-one:~#
>
> tcpdump tells me this:
> ...
> 22:10:27.701218 IP buba3-one.earth.local.48796 >
> buba3-one.earth.local.domain: 34430+ SRV?
> _kerberos-master._udp.EARTH.LOCAL. (51)
> 22:10:27.701862 IP buba3-one.earth.local.domain >
> buba3-one.earth.local.48796: 34430 NXDomain* 0/1/0 (104)
> 22:10:27.702890 IP buba3-one.earth.local.57167 >
> buba3-one.earth.local.domain: 57336+ SRV?
> _kerberos-master._tcp.EARTH.LOCAL. (51)
> 22:10:27.703696 IP buba3-one.earth.local.domain >
> buba3-one.earth.local.57167: 57336 NXDomain* 0/1/0 (104)
> 22:10:27.706413 IP buba3-one.earth.local.60088 >
> buba3-one.earth.local.ldap: Flags [P.], seq 1:8, ack 1, win 1025,
> options [nop,nop,TS val 20922020 ecr 20922002], length 7
> 22:10:27.706477 IP buba3-one.earth.local.ldap >
> buba3-one.earth.local.60088: Flags [.], ack 8, win 1024, options
> [nop,nop,TS val 20922020 ecr 20922020], length 0
> 22:10:27.707236 IP buba3-one.earth.local.60088 >
> buba3-one.earth.local.ldap: Flags [F.], seq 8, ack 1, win 1025,
> options [nop,nop,TS val 20922020 ecr 20922020], length 0
> 22:10:27.707426 IP buba3-one.earth.local.ldap >
> buba3-one.earth.local.60088: Flags [F.], seq 1, ack 9, win 1024,
> options [nop,nop,TS val 20922020 ecr 20922020], length 0
> 22:10:27.707474 IP buba3-one.earth.local.60088 >
> buba3-one.earth.local.ldap: Flags [.], ack 2, win 1025, options
> [nop,nop,TS val 20922020 ecr 20922020], length 0
> 22:10:37.989185 IP buba3-one.earth.local.ldap >
> sonia.1.168.192.in-addr.arpa.39196: Flags [P.], seq 1035:1216, ack
> 404, win 1726, options [nop,nop,TS val 20923049 ecr 224407943], length 181
> 22:10:37.989714 IP sonia.1.168.192.in-addr.arpa.39196 >
> buba3-one.earth.local.ldap: Flags [.], ack 1216, win 353, options
> [nop,nop,TS val 225308045 ecr 20923049], length 0
> 22:10:37.989983 IP sonia.1.168.192.in-addr.arpa.39196 >
> buba3-one.earth.local.ldap: Flags [P.], seq 404:441, ack 1216, win
> 353, options [nop,nop,TS val 225308045 ecr 20923049], length 37
> 22:10:37.990213 IP sonia.1.168.192.in-addr.arpa.39196 >
> buba3-one.earth.local.ldap: Flags [F.], seq 441, ack 1216, win 353,
> options [nop,nop,TS val 225308046 ecr 20923049], length 0
> 22:10:38.023995 IP buba3-one.earth.local.ldap >
> sonia.1.168.192.in-addr.arpa.39196: Flags [R.], seq 1216, ack 442, win
> 1726, options [nop,nop,TS val 20923052 ecr 225308045], length 0
>
> I am not an expert, but I think it means he's searching for
> _kerberos_master._udp.EARTH.LOCAL
> This one does not exist :(
> This one exists though:
> root at bubba3-one:~# host -t SRV _kerberos._udp.earth.local
> _kerberos._udp.earth.local has SRV record 0 100 88 bubba3-one.earth.local.
> root at bubba3-one:~#
>
> These _bla._tcp (or _udp) hostnames are synced during the dnsupdate
> process. Syncing _kerberos_master is not part of that sync process.
> Since the ldapsearch is not working, I am pretty sure this is the
> reason why sssd is failing:
>
> root at bubba3-one:~# sssd -i -d3
> (Wed Feb 19 22:15:18:476155 2014) [sssd] [check_file] (0x0020): lstat
> for [/var/run/nscd/socket] failed: [2][No such file or directory].
> (Wed Feb 19 22:15:18 2014) [sssd] [server_setup] (0x0080): CONFDB:
> /var/lib/sss/db/config.ldb
> (Wed Feb 19 22:15:18 2014) [sssd] [sbus_new_server] (0x0080): D-BUS
> Server listening on
> unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=135feef4d0e0b9d7d08b26bb53051ee6
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [server_setup]
> (0x0080): CONFDB: /var/lib/sss/db/config.ldb
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_context_init]
> (0x0080): Created new fail over context, retry timeout is 30
> (Wed Feb 19 22:15:18 2014) [sssd] [monitor_service_init] (0x0080):
> Initializing D-BUS Service
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [sbus_new_server]
> (0x0080): D-BUS Server listening on
> unix:path=/var/lib/sss/pipes/private/sbus-dp_default.3584,guid=d52d8dead3406dd979958e2d53051ee6
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_new_service]
> (0x0080): Creating new service 'LDAP'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server]
> (0x0080): Adding new server 'bubba3-one.earth.local', to service 'LDAP'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_new_service]
> (0x0080): Creating new service 'KERBEROS'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server]
> (0x0080): Adding new server 'bubba3-one.earth.local', to service
> 'KERBEROS'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server]
> (0x0080): Adding new server 'bubba3-one.earth.local', to service
> 'KERBEROS'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_new_service]
> (0x0080): Creating new service 'KPASSWD'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]] [fo_add_server]
> (0x0080): Adding new server 'bubba3-one.earth.local', to service 'KPASSWD'
> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> [sssm_simple_access_init] (0x0020): No rules supplied for simple
> access provider. Access will be granted for all users.
> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [be_process_init]
> (0x0020): No Session module provided for [default] !!
> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [be_process_init]
> (0x0020): No host info module provided for [default] !!
> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [main] (0x0020):
> Backend provider (default) started!
> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [server_setup] (0x0080): (Wed
> Feb 19 22:15:19 2014) [sssd[pam]] [server_setup] (0x0080): CONFDB:
> /var/lib/sss/db/config.ldb
> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
> Initializing D-BUS Service
> CONFDB: /var/lib/sss/db/config.ldb
> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
> Initializing D-BUS Service
> (Wed Feb 19 22:15:19 2014) [sssd[pam]] [sss_process_init] (0x0020):
> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [sss_process_init] (0x0020):
> Responder Initialization complete
> Responder Initialization complete
> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [nss_process_init] (0x0020):
> NSS Initialization complete
> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [sasl_bind_send]
> (0x0020): ldap_sasl_bind failed (-2)[Local error]
> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
> [fo_resolve_service_send] (0x0020): No available servers for service
> 'LDAP'
> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
> [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
> (5 [Input/output error])
> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [be_run_offline_cb]
> (0x0080): Going offline. Running callbacks.
>
>
> Any bright ideas. (Sorry if these are all stupid questions ... this
> stuff is all very new to me and I think I am getting close :) )
> Thanks!
>
>
> regards,
>
> Kenneth
Hi, would you like to try this sssd.conf? it is based on a working (for
me on mint 15) sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = earth.local
[nss]
[pam]
[domain/earth.local]
description = AD domain with Samba 4 server
# on large directories, you may want to disable enumeration for
performance reasons
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
krb5_server = bubba3-one.earth.local
krb5_kpasswd = bubba3-one.earth.local
krb5_realm = EARTH.LOCAL
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_referrals = false
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = bubba3-one$@EARTH.LOCAL
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
Rowland
More information about the samba
mailing list