[Samba] sssd + samba4 not working (yet)
Kenneth Westelinck
kenneth.westelinck at gmail.com
Sat Feb 22 03:29:38 MST 2014
So I managed to build sid's source for sssd-1.11.3 against
sernet-samba-4.1.4. Reconfigured sssd.conf according to
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
.
Now evertyhing is working as it should.
- getent passwd -> ok
- getent group -> ok
- id kenneth -> ok
- ls -l /tmp/filewithownerkenneth -> ok
So, it seems the sssd version delivered with Debian Wheezy (1.8 something)
is crap.
To be able to compile sssd-1.11.3, I followed
https://lists.samba.org/archive/samba/2014-January/177934.html more or less.
The problem is sernet-samba does not have a samba-dev package, so you have
to compare the file contents of the samba-dev package and recreate it with
what you can find in sernet-samba's build directory.
I also had to build and install libpwquality-1.2.3.
All very exciting stuff.
On Thu, Feb 20, 2014 at 10:58 PM, Kenneth Westelinck <
kenneth.westelinck at gmail.com> wrote:
> cried wolf to soon :(
>
> - getent passwd and group works
> - id kenneth takes forever and returns after a minute or so
> - touch /tmp/tst and then chown kenneth /tmp/tst and then ls -l /tmp/tst
> also takes forever
>
> While doing this, I can also see "[ldap_child] <defunct>" in the process
> list.
> In the logs I can see this:
>
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]] [be_client_init] (0x0100):
> Set-up Backend ID timeout [0x966a8]
> (Thu Feb 20 22:57:42 2014) [sssd[nss]] [sbus_reconnect] (0x0080): Making
> reconnection attempt 1 to
> [unix:path=/var/lib/sss/pipes/private/sbus-dp_default]
> (Thu Feb 20 22:57:42 2014) [sssd[nss]] [sbus_reconnect] (0x0080):
> Reconnected to [unix:path=/var/lib/sss/pipes/private/sbus-dp_default]
> (Thu Feb 20 22:57:42 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0020):
> Reconnected to the Data Provider.
> (Thu Feb 20 22:57:42 2014) [sssd[nss]] [dp_common_send_id] (0x0100):
> Sending ID to DP: (1,NSS)
> (Thu Feb 20 22:57:42 2014) [sssd[nss]] [nss_cmd_getpwuid_dp_callback]
> (0x0040): Unable to get information from Data Provider
> Error: 3, 5, (null)
> Will try to return what we have in cache
> (Thu Feb 20 22:57:42 2014) [sssd[nss]] [client_recv] (0x0200): (Thu Feb 20
> 22:57:42 2014) [sssd[be[default]]] [sbus_server_init_new_connection]
> (0x0200): Client disconnected!
> Entering.
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]]
> [sbus_server_init_new_connection] (0x0200): Adding connection 0x98550.
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]] [sbus_init_connection]
> (0x0200): Adding connection 98550
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]]
> [sbus_server_init_new_connection] (0x0200): Got a connection
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]] [be_client_init] (0x0100):
> Set-up Backend ID timeout [0x98e90]
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]] [client_registration]
> (0x0100): Cancel DP ID timeout [0x966a8]
> (Thu Feb 20 22:57:42 2014) [sssd[be[default]]] [client_registration]
> (0x0100): Added Frontend client [PAM]
> (Thu Feb 20 22:57:42 2014) [sssd[pam]] [dp_id_callback] (0x0100): Got id
> ack and version (1) from DP
>
> Is this sssd 1.8 messing with my mind?
>
>
>
> On Thu, Feb 20, 2014 at 1:48 PM, Kenneth Westelinck <
> kenneth.westelinck at gmail.com> wrote:
>
>> Yes \o/
>> remove libsasl2-modules-gssapi-mit
>> and
>> install libsasl2-modules-gssapi-heimdal
>> did the trick
>>
>> And sssd:
>>
>> root at bubba3-one:/etc/sssd# getent passwd kenneth
>> kenneth:*:1002:513:kenneth:/:
>> root at bubba3-one:/etc/sssd#
>>
>>
>> \o/ \o/ \o/
>>
>> Brilliant! Thanks for all the help. Now, let's go and configure PAM :/
>>
>>
>> On Thu, Feb 20, 2014 at 8:34 AM, L.P.H. van Belle <belle at bazuin.nl>wrote:
>>
>>> test as follow, i think you hit the kerberos bug.
>>> ( IPv6 reverse DNS vs. SPNs during GSSAPI bind )
>>>
>>> remove libsasl2-modules-gssapi-mit
>>> and
>>> install libsasl2-modules-gssapi-heimdal
>>> test again.
>>>
>>> if you now see a ipv6 adres you did hit bug 696207
>>>
>>> you can try to add : rdns = false to de libdefaults in krb5.conf
>>>
>>> you can try to disableing ipv6 totaly..
>>>
>>>
>>>
>>>
>>>
>>> >-----Oorspronkelijk bericht-----
>>> >Van: kenneth.westelinck at gmail.com
>>> >[mailto:samba-bounces at lists.samba.org] Namens Kenneth Westelinck
>>> >Verzonden: donderdag 20 februari 2014 7:53
>>> >Aan: Rowland Penny
>>> >CC: samba at lists.samba.org
>>> >Onderwerp: Re: [Samba] sssd + samba4 not working (yet)
>>> >
>>> >Nope. Same problem. And I think it is all being caused by
>>> >ldapsearch not
>>> >working as it should.
>>> >
>>> >
>>> >On Wed, Feb 19, 2014 at 11:20 PM, Rowland Penny
>>> ><rowlandpenny at googlemail.com
>>> >> wrote:
>>> >
>>> >> On 19/02/14 21:17, Kenneth Westelinck wrote:
>>> >>
>>> >> While still trying to compile a newer version of sssd, I
>>> >started to read
>>> >> parts of the sssd documentation. I found this:
>>> >>
>>> >>
>>> >---------------8<-------------------------8<-------------------
>>> >------8<-------------------------8<-------------------------8<-
>>> >------------------------8<-------------------------8<----------
>>> >---------------8<----------
>>> >>
>>> >> f using SASL/GSSAPI to bind to AD also test that the keytab
>>> >is working
>>> >> properly:
>>> >>
>>> >> *klist -ke*
>>> >>
>>> >> *kinit -k CLIENT$@AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>*
>>> >>
>>> >> If you generated your keytab with a different createupn
>>> >argument, it's
>>> >> possible this won't work and the following works instead. This is
>>> >> absolutely fine as far as sssd is concerned, and you can
>>> >instead generate a
>>> >> ticket for the upn you have created:
>>> >>
>>> >> *kinit -k -t /etc/krb5.keytab
>>> >'nfs/client.ad.example.com at AD.EXAMPLE.COM
>>> >> <http://AD.EXAMPLE.COM>'*
>>> >>
>>> >> Now using this credential you've just created try fetching
>>> >data from the
>>> >> server with *ldapsearch* (in case of issues make sure
>>> >> */etc/openldap/ldap.conf* does not contain any unwanted settings):
>>> >>
>>> >> */usr/bin/ldapsearch -H ldap://server.ad.example.com/
>>> >> <http://server.ad.example.com/> -Y GSSAPI -N -b
>>> >"dc=ad,dc=example,dc=com"
>>> >> "(&(objectClass=user)(sAMAccountName=aduser))"*
>>> >>
>>> >> By using the credential from the keytab, you've verified that this
>>> >> credential has sufficient rights to retrieve user information.
>>> >>
>>> >> After both *kinit* and *ldapsearch* work properly proceed to
>>> >actual SSSD
>>> >> configuration.
>>> >>
>>> >>
>>> >---------------8<-------------------------8<-------------------
>>> >------8<-------------------------8<-------------------------8<-
>>> >------------------------8<-------------------------8<----------
>>> >---------------8<----------
>>> >> In my case this translates to:
>>> >> root at bubba3-one:~# kinit -k -t /etc/krb5.sssd.keytab '
>>> >> bubba3-one$@EARTH.LOCAL'
>>> >> root at bubba3-one:~# ldapsearch -H
>>> >ldap://bubba3-one.earth.local/ -Y GSSAPI
>>> >> -N -b "dc=earth,dc=local"
>>> >"(&(objectClass=user)(sAMAccountName=kenneth))"
>>> >> SASL/GSSAPI authentication started
>>> >> ldap_sasl_interactive_bind_s: Local error (-2)
>>> >> additional info: SASL(-1): generic failure: GSSAPI Error:
>>> >> Unspecified GSS failure. Minor code may provide more
>>> >information (Server
>>> >> not found in Kerberos database)
>>> >> root at bubba3-one:~#
>>> >>
>>> >> tcpdump tells me this:
>>> >> ...
>>> >> 22:10:27.701218 IP buba3-one.earth.local.48796 >
>>> >> buba3-one.earth.local.domain: 34430+ SRV?
>>> >> _kerberos-master._udp.EARTH.LOCAL. (51)
>>> >> 22:10:27.701862 IP buba3-one.earth.local.domain >
>>> >> buba3-one.earth.local.48796: 34430 NXDomain* 0/1/0 (104)
>>> >> 22:10:27.702890 IP buba3-one.earth.local.57167 >
>>> >> buba3-one.earth.local.domain: 57336+ SRV?
>>> >> _kerberos-master._tcp.EARTH.LOCAL. (51)
>>> >> 22:10:27.703696 IP buba3-one.earth.local.domain >
>>> >> buba3-one.earth.local.57167: 57336 NXDomain* 0/1/0 (104)
>>> >> 22:10:27.706413 IP buba3-one.earth.local.60088 >
>>> >> buba3-one.earth.local.ldap: Flags [P.], seq 1:8, ack 1, win
>>> >1025, options
>>> >> [nop,nop,TS val 20922020 ecr 20922002], length 7
>>> >> 22:10:27.706477 IP buba3-one.earth.local.ldap >
>>> >> buba3-one.earth.local.60088: Flags [.], ack 8, win 1024, options
>>> >> [nop,nop,TS val 20922020 ecr 20922020], length 0
>>> >> 22:10:27.707236 IP buba3-one.earth.local.60088 >
>>> >> buba3-one.earth.local.ldap: Flags [F.], seq 8, ack 1, win
>>> >1025, options
>>> >> [nop,nop,TS val 20922020 ecr 20922020], length 0
>>> >> 22:10:27.707426 IP buba3-one.earth.local.ldap >
>>> >> buba3-one.earth.local.60088: Flags [F.], seq 1, ack 9, win
>>> >1024, options
>>> >> [nop,nop,TS val 20922020 ecr 20922020], length 0
>>> >> 22:10:27.707474 IP buba3-one.earth.local.60088 >
>>> >> buba3-one.earth.local.ldap: Flags [.], ack 2, win 1025,
>>> >options [nop,nop,TS
>>> >> val 20922020 ecr 20922020], length 0
>>> >> 22:10:37.989185 IP buba3-one.earth.local.ldap >
>>> >> sonia.1.168.192.in-addr.arpa.39196: Flags [P.], seq
>>> >1035:1216, ack 404, win
>>> >> 1726, options [nop,nop,TS val 20923049 ecr 224407943], length 181
>>> >> 22:10:37.989714 IP sonia.1.168.192.in-addr.arpa.39196 >
>>> >> buba3-one.earth.local.ldap: Flags [.], ack 1216, win 353, options
>>> >> [nop,nop,TS val 225308045 ecr 20923049], length 0
>>> >> 22:10:37.989983 IP sonia.1.168.192.in-addr.arpa.39196 >
>>> >> buba3-one.earth.local.ldap: Flags [P.], seq 404:441, ack
>>> >1216, win 353,
>>> >> options [nop,nop,TS val 225308045 ecr 20923049], length 37
>>> >> 22:10:37.990213 IP sonia.1.168.192.in-addr.arpa.39196 >
>>> >> buba3-one.earth.local.ldap: Flags [F.], seq 441, ack 1216,
>>> >win 353, options
>>> >> [nop,nop,TS val 225308046 ecr 20923049], length 0
>>> >> 22:10:38.023995 IP buba3-one.earth.local.ldap >
>>> >> sonia.1.168.192.in-addr.arpa.39196: Flags [R.], seq 1216,
>>> >ack 442, win
>>> >> 1726, options [nop,nop,TS val 20923052 ecr 225308045], length 0
>>> >>
>>> >> I am not an expert, but I think it means he's searching for
>>> >> _kerberos_master._udp.EARTH.LOCAL
>>> >> This one does not exist :(
>>> >> This one exists though:
>>> >> root at bubba3-one:~# host -t SRV _kerberos._udp.earth.local
>>> >> _kerberos._udp.earth.local has SRV record 0 100 88
>>> >bubba3-one.earth.local.
>>> >> root at bubba3-one:~#
>>> >>
>>> >> These _bla._tcp (or _udp) hostnames are synced during the dnsupdate
>>> >> process. Syncing _kerberos_master is not part of that sync process.
>>> >> Since the ldapsearch is not working, I am pretty sure this
>>> >is the reason
>>> >> why sssd is failing:
>>> >>
>>> >> root at bubba3-one:~# sssd -i -d3
>>> >> (Wed Feb 19 22:15:18:476155 2014) [sssd] [check_file]
>>> >(0x0020): lstat for
>>> >> [/var/run/nscd/socket] failed: [2][No such file or directory].
>>> >> (Wed Feb 19 22:15:18 2014) [sssd] [server_setup] (0x0080): CONFDB:
>>> >> /var/lib/sss/db/config.ldb
>>> >> (Wed Feb 19 22:15:18 2014) [sssd] [sbus_new_server]
>>> >(0x0080): D-BUS Server
>>> >> listening on
>>> >>
>>> >unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=135feef4
>>> >d0e0b9d7d08b26bb53051ee6
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[server_setup] (0x0080):
>>> >> CONFDB: /var/lib/sss/db/config.ldb
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_context_init] (0x0080):
>>> >> Created new fail over context, retry timeout is 30
>>> >> (Wed Feb 19 22:15:18 2014) [sssd] [monitor_service_init] (0x0080):
>>> >> Initializing D-BUS Service
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[sbus_new_server] (0x0080):
>>> >> D-BUS Server listening on
>>> >>
>>> >unix:path=/var/lib/sss/pipes/private/sbus-dp_default.3584,guid=
>>> >d52d8dead3406dd979958e2d53051ee6
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_new_service] (0x0080):
>>> >> Creating new service 'LDAP'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_add_server] (0x0080):
>>> >> Adding new server 'bubba3-one.earth.local', to service 'LDAP'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_new_service] (0x0080):
>>> >> Creating new service 'KERBEROS'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_add_server] (0x0080):
>>> >> Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_add_server] (0x0080):
>>> >> Adding new server 'bubba3-one.earth.local', to service 'KERBEROS'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_new_service] (0x0080):
>>> >> Creating new service 'KPASSWD'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[fo_add_server] (0x0080):
>>> >> Adding new server 'bubba3-one.earth.local', to service 'KPASSWD'
>>> >> (Wed Feb 19 22:15:18 2014) [sssd[be[default]]]
>>> >[sssm_simple_access_init]
>>> >> (0x0020): No rules supplied for simple access provider.
>>> >Access will be
>>> >> granted for all users.
>>> >> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]]
>>> >[be_process_init] (0x0020):
>>> >> No Session module provided for [default] !!
>>> >> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]]
>>> >[be_process_init] (0x0020):
>>> >> No host info module provided for [default] !!
>>> >> (Wed Feb 19 22:15:19 2014) [sssd[be[default]]] [main]
>>> >(0x0020): Backend
>>> >> provider (default) started!
>>> >> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [server_setup]
>>> >(0x0080): (Wed Feb
>>> >> 19 22:15:19 2014) [sssd[pam]] [server_setup] (0x0080): CONFDB:
>>> >> /var/lib/sss/db/config.ldb
>>> >> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
>>> >> Initializing D-BUS Service
>>> >> CONFDB: /var/lib/sss/db/config.ldb
>>> >> (Wed Feb 19 22:15:19 2014) [sssd] [monitor_service_init] (0x0080):
>>> >> Initializing D-BUS Service
>>> >> (Wed Feb 19 22:15:19 2014) [sssd[pam]] [sss_process_init]
>>> >(0x0020): (Wed
>>> >> Feb 19 22:15:19 2014) [sssd[nss]] [sss_process_init]
>>> >(0x0020): Responder
>>> >> Initialization complete
>>> >> Responder Initialization complete
>>> >> (Wed Feb 19 22:15:19 2014) [sssd[nss]] [nss_process_init]
>>> >(0x0020): NSS
>>> >> Initialization complete
>>> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
>>> >[sasl_bind_send] (0x0020):
>>> >> ldap_sasl_bind failed (-2)[Local error]
>>> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
>>> >[fo_resolve_service_send]
>>> >> (0x0020): No available servers for service 'LDAP'
>>> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]]
>>> >[sdap_id_op_connect_done]
>>> >> (0x0020): Failed to connect, going offline (5 [Input/output error])
>>> >> (Wed Feb 19 22:15:29 2014) [sssd[be[default]]] [be_run_offline_cb]
>>> >> (0x0080): Going offline. Running callbacks.
>>> >>
>>> >>
>>> >> Any bright ideas. (Sorry if these are all stupid questions ... this
>>> >> stuff is all very new to me and I think I am getting close :) )
>>> >> Thanks!
>>> >>
>>> >>
>>> >> regards,
>>> >>
>>> >> Kenneth
>>> >>
>>> >> Hi, would you like to try this sssd.conf? it is based on a
>>> >working (for me
>>> >> on mint 15) sssd.conf:
>>> >>
>>> >>
>>> >> [sssd]
>>> >> services = nss, pam
>>> >> config_file_version = 2
>>> >> domains = earth.local
>>> >>
>>> >> [nss]
>>> >>
>>> >> [pam]
>>> >>
>>> >> [domain/earth.local]
>>> >> description = AD domain with Samba 4 server
>>> >>
>>> >> # on large directories, you may want to disable enumeration for
>>> >> performance reasons
>>> >> enumerate = true
>>> >> id_provider = ldap
>>> >>
>>> >> auth_provider = krb5
>>> >> chpass_provider = krb5
>>> >> access_provider = ldap
>>> >>
>>> >>
>>> >> krb5_server = bubba3-one.earth.local
>>> >> krb5_kpasswd = bubba3-one.earth.local
>>> >> krb5_realm = EARTH.LOCAL
>>> >>
>>> >> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>> >> ldap_referrals = false
>>> >> ldap_schema = rfc2307bis
>>> >> ldap_access_order = expire
>>> >> ldap_account_expire_policy = ad
>>> >> ldap_force_upper_case_realm = true
>>> >> ldap_sasl_mech = GSSAPI
>>> >> ldap_sasl_authid = bubba3-one$@EARTH.LOCAL
>>> >>
>>> >>
>>> >> ldap_user_object_class = user
>>> >> ldap_user_name = samAccountName
>>> >> ldap_user_home_directory = unixHomeDirectory
>>> >> ldap_user_principal = userPrincipalName
>>> >>
>>> >> ldap_group_object_class = group
>>> >> ldap_group_name = sAMAccountName
>>> >>
>>> >>
>>> >> Rowland
>>> >>
>>> >>
>>> >--
>>> >To unsubscribe from this list go to the following URL and read the
>>> >instructions: https://lists.samba.org/mailman/options/samba
>>> >
>>> >
>>>
>>>
>>
>
More information about the samba
mailing list