[Samba] Configuring RHEL6 Samba4 DC for local accounts

Mon Jan 27 03:00:45 MST 2014

On 27/01/14 09:37, steve wrote:
> On Sun, 2014-01-26 at 14:42 -0500, Michael Brown wrote:
>> On 14-01-26 02:10 PM, Rowland Penny wrote:
>>> Well if you don't count the removal of the sernet-samba packages as a
>>> technical problem, then OK, see here:
>>>
>>> https://lists.samba.org/archive/samba/2013-December/177449.html
>> Well no, I'd call that a packaging problem (semantics, really). On
>> Ubuntu. Fortunately I'm on RHEL today so it's not an issue.
>>
>> Anyways, I've followed the example at
>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>> exactly (exactly at first, and I've made some modifications with no effect):
>>
>> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=exfile01$
>> # klist -k /etc/krb5.sssd.keytab
>> Keytab name: FILE:/etc/krb5.sssd.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>      1 exfile01$@AD.EXAMPLE.COM
>>      1 exfile01$@AD.EXAMPLE.COM
>>      1 exfile01$@AD.EXAMPLE.COM
>>
>> # cat /etc/sssd/sssd.conf
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains = ad.example.com
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/ad.example.com]
>> ad_hostname = exfile01.ad.example.com
>> ad_server = ad.example.com
>> ad_domain = ad.example.com
>>
>> ldap_schema = rfc2307bis
>> id_provider = ldap
>> access_provider = simple
>> enumerate = true
>> auth_provider = krb5
>> chpass_provider = krb5
>> ldap_sasl_mech = gssapi
>> ldap_sasl_authid = exfile01$@AD.EXAMPLE.COM
>> krb5_realm = AD.EXAMPLE.COM
>> krb5_server = ad.example.com
>> krb5_kpasswd = ad.example.com
>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>> ldap_krb5_init_creds = true
>>
>> ldap_referrals = false
>> ldap_uri = ldap://ad.example.com
>> ldap_search_base = dc=ad,dc=example,dc=com
>>
>> dyndns_update=false
>>
>> ldap_id_mapping=false
>>
>> ldap_user_object_class = user
>> ldap_user_name = samAccountName
>> ldap_user_uid_number = uidNumber
>> ldap_user_gid_number = gidNumber
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_user_shell = loginShell
>>
>> ldap_group_object_class = group
>> ldap_group_name = cn
>> ldap_group_member = member
>>
>> But when I start sssd I get:
>>
>> Jan 26 14:31:22 exfile01 sssd_be: GSSAPI Error: Unspecified GSS
>> failure.  Minor code may provide more information (Server not found in
>> Kerberos database)
>>
>> My krb5.conf looks like:
>> [libdefaults]
>>    default_realm = AD.IRPRUBBER.COM
>>    dns_lookup_realm = false
>>    dns_lookup_kdc = true
>>    #rdns = false
>>
>> I tried with and without rdns=false. Then I fixed forward/reverse for
>> the host so they were identical. No luck :(
>>
>> I'm stumped - anyone know where to go from here?
> You have mixed up the old pre 0.10.0 versions of sssd with the new. You
> have taken bits of the config from both parts. Stick to one or the
> other. I'd strongly recommend v1.11.3 but if you only have the old
> version then stick with the first config with the rfc2307bis schema
> which is detailed in the howto link you posted.
>
> To answer your specific question:
> You have exported the keytab correctly, but then don't bother to use it!
> None of the following are present to tell sssd where to look:
>
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = exfile01$
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>
> HTH
> Steve
>
>
>
Hi Steve, would you like to borrow my glasses? ;-)
All three lines are in the sssd.conf that the OP posted.

Why not download the sssd source rpm package for f20 and create an el6 
rpm from that, if that can be made to work and you export the keytab to 
/etc/krb5.keytab, you only need this in sssd.conf:

[sssd]
services = nss, pam
config_file_version = 2
domains = example.com

[nss]

[pam]

[domain/example.com]
enumerate = false
cache_credentials = true
ldap_id_mapping = false
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

A lot easier ;-)

Rowland