[Samba] sssd + samba4 not working (yet)
Kenneth Westelinck
kenneth.westelinck at gmail.com
Thu Feb 20 05:48:47 MST 2014
Yes \o/
remove libsasl2-modules-gssapi-mit
and
install libsasl2-modules-gssapi-heimdal
did the trick
And sssd:
root at bubba3-one:/etc/sssd# getent passwd kenneth
kenneth:*:1002:513:kenneth:/:
root at bubba3-one:/etc/sssd#
\o/ \o/ \o/
Brilliant! Thanks for all the help. Now, let's go and configure PAM :/
On Thu, Feb 20, 2014 at 8:34 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> test as follow, i think you hit the kerberos bug.
> ( IPv6 reverse DNS vs. SPNs during GSSAPI bind )
>
> remove libsasl2-modules-gssapi-mit
> and
> install libsasl2-modules-gssapi-heimdal
> test again.
>
> if you now see a ipv6 adres you did hit bug 696207
>
> you can try to add : rdns = false to de libdefaults in krb5.conf
>
> you can try to disableing ipv6 totaly..
>
>
>
>
>
> >-----Oorspronkelijk bericht-----
> >Van: kenneth.westelinck at gmail.com
> >[mailto:samba-bounces at lists.samba.org] Namens Kenneth Westelinck
> >Verzonden: donderdag 20 februari 2014 7:53
> >Aan: Rowland Penny
> >CC: samba at lists.samba.org
> >Onderwerp: Re: [Samba] sssd + samba4 not working (yet)
> >
> >Nope. Same problem. And I think it is all being caused by
> >ldapsearch not
> >working as it should.
> >
> >
> >On Wed, Feb 19, 2014 at 11:20 PM, Rowland Penny
> ><rowlandpenny at googlemail.com
> >> wrote:
> >
> >> On 19/02/14 21:17, Kenneth Westelinck wrote:
> >>
> >> While still trying to compile a newer version of sssd, I
> >started to read
> >> parts of the sssd documentation. I found this:
> >>
> >>
> >---------------8<-------------------------8<-------------------
> >------8<-------------------------8<-------------------------8<-
> >------------------------8<-------------------------8<----------
> >---------------8<----------
> >>
> >> f using SASL/GSSAPI to bind to AD also test that the keytab
> >is working
> >> properly:
> >>
> >> *klist -ke*
> >>
> >> *kinit -k CLIENT$@AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>*
> >>
> >> If you generated your keytab with a different createupn
> >argument, it's
> >> possible this won't work and the following works instead. This is
> >> absolutely fine as far as sssd is concerned, and you can
> >instead generate a
> >> ticket for the upn you have created:
> >>
> >> *kinit -k -t /etc/krb5.keytab
> >'nfs/client.ad.example.com at AD.EXAMPLE.COM
> >> <http://AD.EXAMPLE.COM>'*
> >>
> >> Now using this credential you've just created try fetching
> >data from the
> >> server with *ldapsearch* (in case of issues make sure
> >> */etc/openldap/ldap.conf* does not contain any unwanted settings):
> >>
> >> */usr/bin/ldapsearch -H ldap://server.ad.example.com/
> >> <http://server.ad.example.com/> -Y GSSAPI -N -b
> >"dc=ad,dc=example,dc=com"
> >> "(&(objectClass=user)(sAMAccountName=aduser))"*
> >>
> >> By using the credential from the keytab, you've verified that this
> >> credential has sufficient rights to retrieve user information.
> >>
> >> After both *kinit* and *ldapsearch* work properly proceed to
> >actual SSSD
> >> configuration.
> >>
> >>
> >---------------8<-------------------------8<-------------------
> >------8<-------------------------8<-------------------------8<-
> >------------------------8<-------------------------8<----------
> >---------------8<----------
> >> In my case this translates to:
> >> root at bubba3-one:~# kinit -k -t /etc/krb5.sssd.keytab '
> >> bubba3-one$@EARTH.LOCAL'
> >> root at bubba3-one:~# ldapsearch -H
> >ldap://bubba3-one.earth.local/ -Y GSSAPI
> >> -N -b "dc=earth,dc=local"
> >"(&(objectClass=user)(sAMAccountName=kenneth))"
> >> SASL/GSSAPI authentication started
> >> ldap_sasl_interactive_bind_s: Local error (-2)
> >> additional info: SASL(-1): generic failure: GSSAPI Error:
> >> Unspecified GSS failure. Minor code may provide more
> >information (Server
> >> not found in Kerberos database)
> >> root at bubba3-one:~#
> >>
> >> tcpdump tells me this:
> >> ...
> >> 22:10:27.701218 IP buba3-one.earth.local.48796 >
> >> buba3-one.earth.local.domain: 34430+ SRV?
> >> _kerberos-master._udp.EARTH.LOCAL. (51)
> >> 22:10:27.701862 IP buba3-one.earth.local.domain >
> >> buba3-one.earth.local.48796: 34430 NXDomain* 0/1/0 (104)
> >> 22:10:27.702890 IP buba3-one.earth.local.57167 >
> >> buba3-one.earth.local.domain: 57336+ SRV?
> >> _kerberos-master._tcp.EARTH.LOCAL. (51)
> >> 22:10:27.703696 IP buba3-one.earth.local.domain >
> >> buba3-one.earth.local.57167: 57336 NXDomain* 0/1/0 (104)
> >> 22:10:27.706413 IP buba3-one.earth.local.60088 >
> >> buba3-one.earth.local.ldap: Flags [P.], seq 1:8, ack 1, win
> >1025, options
> >> [nop,nop,TS val 20922020 ecr 20922002], length 7
> >> 22:10:27.706477 IP buba3-one.earth.local.ldap >
> >> buba3-one.earth.local.60088: Flags [.], ack 8, win 1024, options
> >> [nop,nop,TS val 20922020 ecr 20922020], length 0
> >> 22:10:27.707236 IP buba3-one.earth.local.60088 >
> >> buba3-one.earth.local.ldap: Flags [F.], seq 8, ack 1, win
> >1025, options
> >> [nop,nop,TS val 20922020 ecr 20922020], length 0
> >> 22:10:27.707426 IP buba3-one.earth.local.ldap >
> >> buba3-one.earth.local.60088: Flags [F.], seq 1, ack 9, win
> >1024, options
> >> [nop,nop,TS val 20922020 ecr 20922020], length 0
> >> 22:10:27.707474 IP buba3-one.earth.local.60088 >
> >> buba3-one.earth.local.ldap: Flags [.], ack 2, win 1025,
> >options [nop,nop,TS
> >> val 20922020 ecr 20922020], length 0
> >> 22:10:37.989185 IP buba3-one.earth.local.ldap >
> >> sonia.1.168.192.in-addr.arpa.39196: Flags [P.], seq
> >1035:1216, ack 404, win
> >> 1726, options [nop,nop,TS val 20923049 ecr 224407943], length 181
> >> 22:10:37.989714 IP sonia.1.168.192.in-addr.arpa.39196 >
> >> buba3-one.earth.local.ldap: Flags [.], ack 1216, win 353, options
> >> [nop,nop,TS val 225308045 ecr 20923049], length 0
> >> 22:10:37.989983 IP sonia.1.168.192.in-addr.arpa.39196 >
> >> buba3-one.earth.local.ldap: Flags [P.], seq 404:441, ack
> >1216, win 353,
> >> options [nop,nop,TS val 225308045 ecr 20923049], length 37
> >> 22:10:37.990213 IP sonia.1.168.192.in-addr.arpa.39196 >
> >> buba3-one.earth.local.ldap: Flags [F.], seq 441, ack 1216,
> >win 353, options
> >> [nop,nop,TS val 225308046 ecr 20923049], length 0
> >> 22:10:38.023995 IP buba3-one.earth.local.ldap >
> >> sonia.1.168.192.in-addr.arpa.39196: Flags [R.], seq 1216,
> >ack 442, win
> >> 1726, options [nop,nop,TS val 20923052 ecr 225308045], length 0
> >>
> >> I am not an expert, but I think it means he's searching for
> >> _kerberos_master._udp.EARTH.LOCAL
> >> This one does not exist :(
> >> This one exists though:
> >> root at bubba3-one:~# host -t SRV _kerberos._udp.earth.local
> >> _kerberos._udp.earth.local has SRV record 0 100 88
> >bubba3-one.earth.local.
> >> root at bubba3-one:~#
> >>
> >> These _bla._tcp (or _udp) hostnames are synced during the dnsupdate
> >> process. Syncing _kerberos_master is not part of that sync process.
> >> Since the ldapsearch is not working, I am pretty sure this
> >is the reason
> >> why sssd is failing:
> >>
> >> root at bubba3-one:~# sssd -i -d3
> >> (Wed Feb 19 22:15:18:476155 2014) [sssd] [check_file]
> >(0x0020): lstat for
> >> [/var/run/nscd/socket] failed: [2][No such file or directory].
> >> (Wed Feb 19 22:15:18 2014) [sssd] [server_setup] (0x0080): CONFDB:
> >> /var/lib/sss/db/config.ldb
> >> (Wed Feb 19 22:15:18 2014) [sssd] [sbus_new_server]
> >(0x0080): D-BUS Server
> >> listening on
> >>
> >unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=135feef4
> >d0e0b9d7d08b26bb53051ee6
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[server_setup] (0x0080):
> >> CONFDB: /var/lib/sss/db/config.ldb
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_context_init] (0x0080):
> >> Created new fail over context, retry timeout is 30
> >> (Wed Feb 19 22:15:18 2014) [sssd] [monitor_service_init] (0x0080):
> >> Initializing D-BUS Service
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[sbus_new_server] (0x0080):
> >> D-BUS Server listening on
> >>
> >unix:path=/var/lib/sss/pipes/private/sbus-dp_default.3584,guid=
> >d52d8dead3406dd979958e2d53051ee6
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_new_service] (0x0080):
> >> Creating new service 'LDAP'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_add_server] (0x0080):
> >> Adding new server 'bubba3-one.earth.local', to service 'LDAP'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_new_service] (0x0080):
> >> Creating new service 'KERBEROS'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_add_server] (0x0080):
> >> Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_add_server] (0x0080):
> >> Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_new_service] (0x0080):
> >> Creating new service 'KPASSWD'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[fo_add_server] (0x0080):
> >> Adding new server 'bubba3-one.earth.local', to service 'KPASSWD'
> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
> >[sssm_simple_access_init]
> >> (0x0020): No rules supplied for simple access provider.
> >Access will be
> >> granted for all users.
> >> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]]
> >[be_process_init] (0x0020):
> >> No Session module provided for [default] !!
> >> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]]
> >[be_process_init] (0x0020):
> >> No host info module provided for [default] !!
> >> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [main]
> >(0x0020): Backend
> >> provider (default) started!
> >> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [server_setup]
> >(0x0080): (Wed Feb
> >> 19 22:15:19 2014) [sssd[pam]] [server_setup] (0x0080): CONFDB:
> >> /var/lib/sss/db/config.ldb
> >> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
> >> Initializing D-BUS Service
> >> CONFDB: /var/lib/sss/db/config.ldb
> >> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
> >> Initializing D-BUS Service
> >> (Wed Feb 19 22:15:19 2014) [sssd[pam]] [sss_process_init]
> >(0x0020): (Wed
> >> Feb 19 22:15:19 2014) [sssd[nss]] [sss_process_init]
> >(0x0020): Responder
> >> Initialization complete
> >> Responder Initialization complete
> >> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [nss_process_init]
> >(0x0020): NSS
> >> Initialization complete
> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
> >[sasl_bind_send] (0x0020):
> >> ldap_sasl_bind failed (-2)[Local error]
> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
> >[fo_resolve_service_send]
> >> (0x0020): No available servers for service 'LDAP'
> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
> >[sdap_id_op_connect_done]
> >> (0x0020): Failed to connect, going offline (5 [Input/output error])
> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [be_run_offline_cb]
> >> (0x0080): Going offline. Running callbacks.
> >>
> >>
> >> Any bright ideas. (Sorry if these are all stupid questions ... this
> >> stuff is all very new to me and I think I am getting close :) )
> >> Thanks!
> >>
> >>
> >> regards,
> >>
> >> Kenneth
> >>
> >> Hi, would you like to try this sssd.conf? it is based on a
> >working (for me
> >> on mint 15) sssd.conf:
> >>
> >>
> >> [sssd]
> >> services = nss, pam
> >> config_file_version = 2
> >> domains = earth.local
> >>
> >> [nss]
> >>
> >> [pam]
> >>
> >> [domain/earth.local]
> >> description = AD domain with Samba 4 server
> >>
> >> # on large directories, you may want to disable enumeration for
> >> performance reasons
> >> enumerate = true
> >> id_provider = ldap
> >>
> >> auth_provider = krb5
> >> chpass_provider = krb5
> >> access_provider = ldap
> >>
> >>
> >> krb5_server = bubba3-one.earth.local
> >> krb5_kpasswd = bubba3-one.earth.local
> >> krb5_realm = EARTH.LOCAL
> >>
> >> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> >> ldap_referrals = false
> >> ldap_schema = rfc2307bis
> >> ldap_access_order = expire
> >> ldap_account_expire_policy = ad
> >> ldap_force_upper_case_realm = true
> >> ldap_sasl_mech = GSSAPI
> >> ldap_sasl_authid = bubba3-one$@EARTH.LOCAL
> >>
> >>
> >> ldap_user_object_class = user
> >> ldap_user_name = samAccountName
> >> ldap_user_home_directory = unixHomeDirectory
> >> ldap_user_principal = userPrincipalName
> >>
> >> ldap_group_object_class = group
> >> ldap_group_name = sAMAccountName
> >>
> >>
> >> Rowland
> >>
> >>
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
More information about the samba
mailing list