[Samba] Configuring RHEL6 Samba4 DC for local accounts

Michael Brown michael at netdirect.ca
Sun Jan 26 12:42:59 MST 2014


On 14-01-26 02:10 PM, Rowland Penny wrote:
> Well if you don't count the removal of the sernet-samba packages as a 
> technical problem, then OK, see here:
>
> https://lists.samba.org/archive/samba/2013-December/177449.html 
Well no, I'd call that a packaging problem (semantics, really). On 
Ubuntu. Fortunately I'm on RHEL today so it's not an issue.

Anyways, I've followed the example at 
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd 
exactly (exactly at first, and I've made some modifications with no effect):

# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=exfile01$
# klist -k /etc/krb5.sssd.keytab
Keytab name: FILE:/etc/krb5.sssd.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 exfile01$@AD.EXAMPLE.COM
    1 exfile01$@AD.EXAMPLE.COM
    1 exfile01$@AD.EXAMPLE.COM

# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = ad.example.com

[nss]

[pam]

[domain/ad.example.com]
ad_hostname = exfile01.ad.example.com
ad_server = ad.example.com
ad_domain = ad.example.com

ldap_schema = rfc2307bis
id_provider = ldap
access_provider = simple
enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = exfile01$@AD.EXAMPLE.COM
krb5_realm = AD.EXAMPLE.COM
krb5_server = ad.example.com
krb5_kpasswd = ad.example.com
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true

ldap_referrals = false
ldap_uri = ldap://ad.example.com
ldap_search_base = dc=ad,dc=example,dc=com

dyndns_update=false

ldap_id_mapping=false

ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell

ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member

But when I start sssd I get:

Jan 26 14:31:22 exfile01 sssd_be: GSSAPI Error: Unspecified GSS 
failure.  Minor code may provide more information (Server not found in 
Kerberos database)

My krb5.conf looks like:
[libdefaults]
  default_realm = AD.IRPRUBBER.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  #rdns = false

I tried with and without rdns=false. Then I fixed forward/reverse for 
the host so they were identical. No luck :(

I'm stumped - anyone know where to go from here?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth



More information about the samba mailing list