[Samba] Configuring RHEL6 Samba4 DC for local accounts

Michael Brown michael at netdirect.ca
Sun Jan 26 12:42:59 MST 2014

On 14-01-26 02:10 PM, Rowland Penny wrote:
> Well if you don't count the removal of the sernet-samba packages as a 
> technical problem, then OK, see here:
> https://lists.samba.org/archive/samba/2013-December/177449.html 
Well no, I'd call that a packaging problem (semantics, really). On 
Ubuntu. Fortunately I'm on RHEL today so it's not an issue.

Anyways, I've followed the example at 
exactly (exactly at first, and I've made some modifications with no effect):

# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=exfile01$
# klist -k /etc/krb5.sssd.keytab
Keytab name: FILE:/etc/krb5.sssd.keytab
KVNO Principal
    1 exfile01$@AD.EXAMPLE.COM
    1 exfile01$@AD.EXAMPLE.COM
    1 exfile01$@AD.EXAMPLE.COM

# cat /etc/sssd/sssd.conf
services = nss, pam
config_file_version = 2
domains = ad.example.com



ad_hostname = exfile01.ad.example.com
ad_server = ad.example.com
ad_domain = ad.example.com

ldap_schema = rfc2307bis
id_provider = ldap
access_provider = simple
enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = exfile01$@AD.EXAMPLE.COM
krb5_realm = AD.EXAMPLE.COM
krb5_server = ad.example.com
krb5_kpasswd = ad.example.com
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true

ldap_referrals = false
ldap_uri = ldap://ad.example.com
ldap_search_base = dc=ad,dc=example,dc=com



ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell

ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member

But when I start sssd I get:

Jan 26 14:31:22 exfile01 sssd_be: GSSAPI Error: Unspecified GSS 
failure.  Minor code may provide more information (Server not found in 
Kerberos database)

My krb5.conf looks like:
  default_realm = AD.IRPRUBBER.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  #rdns = false

I tried with and without rdns=false. Then I fixed forward/reverse for 
the host so they were identical. No luck :(

I'm stumped - anyone know where to go from here?


Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba mailing list