[Samba] Configuring RHEL6 Samba4 DC for local accounts

Rowland Penny rowlandpenny at googlemail.com
Sun Jan 26 15:27:54 MST 2014 

On 26/01/14 19:42, Michael Brown wrote:
> On 14-01-26 02:10 PM, Rowland Penny wrote:
>> Well if you don't count the removal of the sernet-samba packages as a 
>> technical problem, then OK, see here:
>>
>> https://lists.samba.org/archive/samba/2013-December/177449.html 
> Well no, I'd call that a packaging problem (semantics, really). On 
> Ubuntu. Fortunately I'm on RHEL today so it's not an issue.
>
> Anyways, I've followed the example at 
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd 
> exactly (exactly at first, and I've made some modifications with no 
> effect):
>
> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab 
> --principal=exfile01$
> # klist -k /etc/krb5.sssd.keytab
> Keytab name: FILE:/etc/krb5.sssd.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 exfile01$@AD.EXAMPLE.COM
>    1 exfile01$@AD.EXAMPLE.COM
>    1 exfile01$@AD.EXAMPLE.COM
>
> # cat /etc/sssd/sssd.conf
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = ad.example.com
>
> [nss]
>
> [pam]
>
> [domain/ad.example.com]
> ad_hostname = exfile01.ad.example.com
> ad_server = ad.example.com
> ad_domain = ad.example.com
>
> ldap_schema = rfc2307bis
> id_provider = ldap
> access_provider = simple
> enumerate = true
> auth_provider = krb5
> chpass_provider = krb5
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = exfile01$@AD.EXAMPLE.COM
> krb5_realm = AD.EXAMPLE.COM
> krb5_server = ad.example.com
> krb5_kpasswd = ad.example.com
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> ldap_krb5_init_creds = true
>
> ldap_referrals = false
> ldap_uri = ldap://ad.example.com
> ldap_search_base = dc=ad,dc=example,dc=com
>
> dyndns_update=false
>
> ldap_id_mapping=false
>
> ldap_user_object_class = user
> ldap_user_name = samAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
>
> ldap_group_object_class = group
> ldap_group_name = cn
> ldap_group_member = member
>
> But when I start sssd I get:
>
> Jan 26 14:31:22 exfile01 sssd_be: GSSAPI Error: Unspecified GSS 
> failure.  Minor code may provide more information (Server not found in 
> Kerberos database)
>
> My krb5.conf looks like:
> [libdefaults]
>  default_realm = AD.IRPRUBBER.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  #rdns = false
>
> I tried with and without rdns=false. Then I fixed forward/reverse for 
> the host so they were identical. No luck :(
>
> I'm stumped - anyone know where to go from here?
>
> M.
>
> -- 
> Michael Brown               | `One of the main causes of the fall of
> Systems Consultant          | the Roman Empire was that, lacking zero,
> Net Direct Inc.             | they had no way to indicate successful
> ☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth
Is your DC really called ad.example.com or is it 
hostname.ad.example.com? either way I do not think your sssd.conf is 
going to work, also is there any chance you can update sssd to the 
latest 1.11 series?

Rowland

More information about the samba mailing list