[Samba] sssd + samba4 not working (yet)
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 20 00:34:26 MST 2014
test as follow, i think you hit the kerberos bug.
( IPv6 reverse DNS vs. SPNs during GSSAPI bind )
remove libsasl2-modules-gssapi-mit
and
install libsasl2-modules-gssapi-heimdal
test again.
if you now see a ipv6 adres you did hit bug 696207
you can try to add : rdns = false to de libdefaults in krb5.conf
you can try to disableing ipv6 totaly..
>-----Oorspronkelijk bericht-----
>Van: kenneth.westelinck at gmail.com
>[mailto:samba-bounces at lists.samba.org] Namens Kenneth Westelinck
>Verzonden: donderdag 20 februari 2014 7:53
>Aan: Rowland Penny
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] sssd + samba4 not working (yet)
>
>Nope. Same problem. And I think it is all being caused by
>ldapsearch not
>working as it should.
>
>
>On Wed, Feb 19, 2014 at 11:20 PM, Rowland Penny
><rowlandpenny at googlemail.com
>> wrote:
>
>> On 19/02/14 21:17, Kenneth Westelinck wrote:
>>
>> While still trying to compile a newer version of sssd, I
>started to read
>> parts of the sssd documentation. I found this:
>>
>>
>---------------8<-------------------------8<-------------------
>------8<-------------------------8<-------------------------8<-
>------------------------8<-------------------------8<----------
>---------------8<----------
>>
>> f using SASL/GSSAPI to bind to AD also test that the keytab
>is working
>> properly:
>>
>> *klist -ke*
>>
>> *kinit -k CLIENT$@AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>*
>>
>> If you generated your keytab with a different createupn
>argument, it's
>> possible this won't work and the following works instead. This is
>> absolutely fine as far as sssd is concerned, and you can
>instead generate a
>> ticket for the upn you have created:
>>
>> *kinit -k -t /etc/krb5.keytab
>'nfs/client.ad.example.com at AD.EXAMPLE.COM
>> <http://AD.EXAMPLE.COM>'*
>>
>> Now using this credential you've just created try fetching
>data from the
>> server with *ldapsearch* (in case of issues make sure
>> */etc/openldap/ldap.conf* does not contain any unwanted settings):
>>
>> */usr/bin/ldapsearch -H ldap://server.ad.example.com/
>> <http://server.ad.example.com/> -Y GSSAPI -N -b
>"dc=ad,dc=example,dc=com"
>> "(&(objectClass=user)(sAMAccountName=aduser))"*
>>
>> By using the credential from the keytab, you've verified that this
>> credential has sufficient rights to retrieve user information.
>>
>> After both *kinit* and *ldapsearch* work properly proceed to
>actual SSSD
>> configuration.
>>
>>
>---------------8<-------------------------8<-------------------
>------8<-------------------------8<-------------------------8<-
>------------------------8<-------------------------8<----------
>---------------8<----------
>> In my case this translates to:
>> root at bubba3-one:~# kinit -k -t /etc/krb5.sssd.keytab '
>> bubba3-one$@EARTH.LOCAL'
>> root at bubba3-one:~# ldapsearch -H
>ldap://bubba3-one.earth.local/ -Y GSSAPI
>> -N -b "dc=earth,dc=local"
>"(&(objectClass=user)(sAMAccountName=kenneth))"
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>> additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more
>information (Server
>> not found in Kerberos database)
>> root at bubba3-one:~#
>>
>> tcpdump tells me this:
>> ...
>> 22:10:27.701218 IP buba3-one.earth.local.48796 >
>> buba3-one.earth.local.domain: 34430+ SRV?
>> _kerberos-master._udp.EARTH.LOCAL. (51)
>> 22:10:27.701862 IP buba3-one.earth.local.domain >
>> buba3-one.earth.local.48796: 34430 NXDomain* 0/1/0 (104)
>> 22:10:27.702890 IP buba3-one.earth.local.57167 >
>> buba3-one.earth.local.domain: 57336+ SRV?
>> _kerberos-master._tcp.EARTH.LOCAL. (51)
>> 22:10:27.703696 IP buba3-one.earth.local.domain >
>> buba3-one.earth.local.57167: 57336 NXDomain* 0/1/0 (104)
>> 22:10:27.706413 IP buba3-one.earth.local.60088 >
>> buba3-one.earth.local.ldap: Flags [P.], seq 1:8, ack 1, win
>1025, options
>> [nop,nop,TS val 20922020 ecr 20922002], length 7
>> 22:10:27.706477 IP buba3-one.earth.local.ldap >
>> buba3-one.earth.local.60088: Flags [.], ack 8, win 1024, options
>> [nop,nop,TS val 20922020 ecr 20922020], length 0
>> 22:10:27.707236 IP buba3-one.earth.local.60088 >
>> buba3-one.earth.local.ldap: Flags [F.], seq 8, ack 1, win
>1025, options
>> [nop,nop,TS val 20922020 ecr 20922020], length 0
>> 22:10:27.707426 IP buba3-one.earth.local.ldap >
>> buba3-one.earth.local.60088: Flags [F.], seq 1, ack 9, win
>1024, options
>> [nop,nop,TS val 20922020 ecr 20922020], length 0
>> 22:10:27.707474 IP buba3-one.earth.local.60088 >
>> buba3-one.earth.local.ldap: Flags [.], ack 2, win 1025,
>options [nop,nop,TS
>> val 20922020 ecr 20922020], length 0
>> 22:10:37.989185 IP buba3-one.earth.local.ldap >
>> sonia.1.168.192.in-addr.arpa.39196: Flags [P.], seq
>1035:1216, ack 404, win
>> 1726, options [nop,nop,TS val 20923049 ecr 224407943], length 181
>> 22:10:37.989714 IP sonia.1.168.192.in-addr.arpa.39196 >
>> buba3-one.earth.local.ldap: Flags [.], ack 1216, win 353, options
>> [nop,nop,TS val 225308045 ecr 20923049], length 0
>> 22:10:37.989983 IP sonia.1.168.192.in-addr.arpa.39196 >
>> buba3-one.earth.local.ldap: Flags [P.], seq 404:441, ack
>1216, win 353,
>> options [nop,nop,TS val 225308045 ecr 20923049], length 37
>> 22:10:37.990213 IP sonia.1.168.192.in-addr.arpa.39196 >
>> buba3-one.earth.local.ldap: Flags [F.], seq 441, ack 1216,
>win 353, options
>> [nop,nop,TS val 225308046 ecr 20923049], length 0
>> 22:10:38.023995 IP buba3-one.earth.local.ldap >
>> sonia.1.168.192.in-addr.arpa.39196: Flags [R.], seq 1216,
>ack 442, win
>> 1726, options [nop,nop,TS val 20923052 ecr 225308045], length 0
>>
>> I am not an expert, but I think it means he's searching for
>> _kerberos_master._udp.EARTH.LOCAL
>> This one does not exist :(
>> This one exists though:
>> root at bubba3-one:~# host -t SRV _kerberos._udp.earth.local
>> _kerberos._udp.earth.local has SRV record 0 100 88
>bubba3-one.earth.local.
>> root at bubba3-one:~#
>>
>> These _bla._tcp (or _udp) hostnames are synced during the dnsupdate
>> process. Syncing _kerberos_master is not part of that sync process.
>> Since the ldapsearch is not working, I am pretty sure this
>is the reason
>> why sssd is failing:
>>
>> root at bubba3-one:~# sssd -i -d3
>> (Wed Feb 19 22:15:18:476155 2014) [sssd] [check_file]
>(0x0020): lstat for
>> [/var/run/nscd/socket] failed: [2][No such file or directory].
>> (Wed Feb 19 22:15:18 2014) [sssd] [server_setup] (0x0080): CONFDB:
>> /var/lib/sss/db/config.ldb
>> (Wed Feb 19 22:15:18 2014) [sssd] [sbus_new_server]
>(0x0080): D-BUS Server
>> listening on
>>
>unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=135feef4
>d0e0b9d7d08b26bb53051ee6
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[server_setup] (0x0080):
>> CONFDB: /var/lib/sss/db/config.ldb
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_context_init] (0x0080):
>> Created new fail over context, retry timeout is 30
>> (Wed Feb 19 22:15:18 2014) [sssd] [monitor_service_init] (0x0080):
>> Initializing D-BUS Service
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[sbus_new_server] (0x0080):
>> D-BUS Server listening on
>>
>unix:path=/var/lib/sss/pipes/private/sbus-dp_default.3584,guid=
>d52d8dead3406dd979958e2d53051ee6
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_new_service] (0x0080):
>> Creating new service 'LDAP'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_add_server] (0x0080):
>> Adding new server 'bubba3-one.earth.local', to service 'LDAP'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_new_service] (0x0080):
>> Creating new service 'KERBEROS'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_add_server] (0x0080):
>> Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_add_server] (0x0080):
>> Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_new_service] (0x0080):
>> Creating new service 'KPASSWD'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[fo_add_server] (0x0080):
>> Adding new server 'bubba3-one.earth.local', to service 'KPASSWD'
>> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>[sssm_simple_access_init]
>> (0x0020): No rules supplied for simple access provider.
>Access will be
>> granted for all users.
>> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]]
>[be_process_init] (0x0020):
>> No Session module provided for [default] !!
>> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]]
>[be_process_init] (0x0020):
>> No host info module provided for [default] !!
>> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [main]
>(0x0020): Backend
>> provider (default) started!
>> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [server_setup]
>(0x0080): (Wed Feb
>> 19 22:15:19 2014) [sssd[pam]] [server_setup] (0x0080): CONFDB:
>> /var/lib/sss/db/config.ldb
>> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
>> Initializing D-BUS Service
>> CONFDB: /var/lib/sss/db/config.ldb
>> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
>> Initializing D-BUS Service
>> (Wed Feb 19 22:15:19 2014) [sssd[pam]] [sss_process_init]
>(0x0020): (Wed
>> Feb 19 22:15:19 2014) [sssd[nss]] [sss_process_init]
>(0x0020): Responder
>> Initialization complete
>> Responder Initialization complete
>> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [nss_process_init]
>(0x0020): NSS
>> Initialization complete
>> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
>[sasl_bind_send] (0x0020):
>> ldap_sasl_bind failed (-2)[Local error]
>> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
>[fo_resolve_service_send]
>> (0x0020): No available servers for service 'LDAP'
>> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
>[sdap_id_op_connect_done]
>> (0x0020): Failed to connect, going offline (5 [Input/output error])
>> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [be_run_offline_cb]
>> (0x0080): Going offline. Running callbacks.
>>
>>
>> Any bright ideas. (Sorry if these are all stupid questions ... this
>> stuff is all very new to me and I think I am getting close :) )
>> Thanks!
>>
>>
>> regards,
>>
>> Kenneth
>>
>> Hi, would you like to try this sssd.conf? it is based on a
>working (for me
>> on mint 15) sssd.conf:
>>
>>
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains = earth.local
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/earth.local]
>> description = AD domain with Samba 4 server
>>
>> # on large directories, you may want to disable enumeration for
>> performance reasons
>> enumerate = true
>> id_provider = ldap
>>
>> auth_provider = krb5
>> chpass_provider = krb5
>> access_provider = ldap
>>
>>
>> krb5_server = bubba3-one.earth.local
>> krb5_kpasswd = bubba3-one.earth.local
>> krb5_realm = EARTH.LOCAL
>>
>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>> ldap_referrals = false
>> ldap_schema = rfc2307bis
>> ldap_access_order = expire
>> ldap_account_expire_policy = ad
>> ldap_force_upper_case_realm = true
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = bubba3-one$@EARTH.LOCAL
>>
>>
>> ldap_user_object_class = user
>> ldap_user_name = samAccountName
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_user_principal = userPrincipalName
>>
>> ldap_group_object_class = group
>> ldap_group_name = sAMAccountName
>>
>>
>> Rowland
>>
>>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list