[Samba] Configuring RHEL6 Samba4 DC for local accounts

steve steve at steve-ss.com
Mon Jan 27 02:37:01 MST 2014 

On Sun, 2014-01-26 at 14:42 -0500, Michael Brown wrote:
> On 14-01-26 02:10 PM, Rowland Penny wrote:
> > Well if you don't count the removal of the sernet-samba packages as a 
> > technical problem, then OK, see here:
> >
> > https://lists.samba.org/archive/samba/2013-December/177449.html 
> Well no, I'd call that a packaging problem (semantics, really). On 
> Ubuntu. Fortunately I'm on RHEL today so it's not an issue.
> 
> Anyways, I've followed the example at 
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd 
> exactly (exactly at first, and I've made some modifications with no effect):
> 
> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=exfile01$
> # klist -k /etc/krb5.sssd.keytab
> Keytab name: FILE:/etc/krb5.sssd.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>     1 exfile01$@AD.EXAMPLE.COM
>     1 exfile01$@AD.EXAMPLE.COM
>     1 exfile01$@AD.EXAMPLE.COM
> 
> # cat /etc/sssd/sssd.conf
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = ad.example.com
> 
> [nss]
> 
> [pam]
> 
> [domain/ad.example.com]
> ad_hostname = exfile01.ad.example.com
> ad_server = ad.example.com
> ad_domain = ad.example.com
> 
> ldap_schema = rfc2307bis
> id_provider = ldap
> access_provider = simple
> enumerate = true
> auth_provider = krb5
> chpass_provider = krb5
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = exfile01$@AD.EXAMPLE.COM
> krb5_realm = AD.EXAMPLE.COM
> krb5_server = ad.example.com
> krb5_kpasswd = ad.example.com
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> ldap_krb5_init_creds = true
> 
> ldap_referrals = false
> ldap_uri = ldap://ad.example.com
> ldap_search_base = dc=ad,dc=example,dc=com
> 
> dyndns_update=false
> 
> ldap_id_mapping=false
> 
> ldap_user_object_class = user
> ldap_user_name = samAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
> 
> ldap_group_object_class = group
> ldap_group_name = cn
> ldap_group_member = member
> 
> But when I start sssd I get:
> 
> Jan 26 14:31:22 exfile01 sssd_be: GSSAPI Error: Unspecified GSS 
> failure.  Minor code may provide more information (Server not found in 
> Kerberos database)
> 
> My krb5.conf looks like:
> [libdefaults]
>   default_realm = AD.IRPRUBBER.COM
>   dns_lookup_realm = false
>   dns_lookup_kdc = true
>   #rdns = false
> 
> I tried with and without rdns=false. Then I fixed forward/reverse for 
> the host so they were identical. No luck :(
> 
> I'm stumped - anyone know where to go from here?

You have mixed up the old pre 0.10.0 versions of sssd with the new. You
have taken bits of the config from both parts. Stick to one or the
other. I'd strongly recommend v1.11.3 but if you only have the old
version then stick with the first config with the rfc2307bis schema
which is detailed in the howto link you posted.

To answer your specific question:
You have exported the keytab correctly, but then don't bother to use it!
None of the following are present to tell sssd where to look:

ldap_sasl_mech = gssapi
ldap_sasl_authid = exfile01$
ldap_krb5_keytab = /etc/krb5.sssd.keytab

HTH
Steve

More information about the samba mailing list