[Samba] Configuring RHEL6 Samba4 DC for local accounts

Rowland Penny rowlandpenny at googlemail.com
Mon Jan 27 05:50:29 MST 2014 

On 27/01/14 10:00, Rowland Penny wrote:
> On 27/01/14 09:37, steve wrote:
>> On Sun, 2014-01-26 at 14:42 -0500, Michael Brown wrote:
>>> On 14-01-26 02:10 PM, Rowland Penny wrote:
>>>> Well if you don't count the removal of the sernet-samba packages as a
>>>> technical problem, then OK, see here:
>>>>
>>>> https://lists.samba.org/archive/samba/2013-December/177449.html
>>> Well no, I'd call that a packaging problem (semantics, really). On
>>> Ubuntu. Fortunately I'm on RHEL today so it's not an issue.
>>>
>>> Anyways, I've followed the example at
>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd 
>>>
>>> exactly (exactly at first, and I've made some modifications with no 
>>> effect):
>>>
>>> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab 
>>> --principal=exfile01$
>>> # klist -k /etc/krb5.sssd.keytab
>>> Keytab name: FILE:/etc/krb5.sssd.keytab
>>> KVNO Principal
>>> ----
>>> -------------------------------------------------------------------------- 
>>>
>>>      1 exfile01$@AD.EXAMPLE.COM
>>>      1 exfile01$@AD.EXAMPLE.COM
>>>      1 exfile01$@AD.EXAMPLE.COM
>>>
>>> # cat /etc/sssd/sssd.conf
>>> [sssd]
>>> services = nss, pam
>>> config_file_version = 2
>>> domains = ad.example.com
>>>
>>> [nss]
>>>
>>> [pam]
>>>
>>> [domain/ad.example.com]
>>> ad_hostname = exfile01.ad.example.com
>>> ad_server = ad.example.com
>>> ad_domain = ad.example.com
>>>
>>> ldap_schema = rfc2307bis
>>> id_provider = ldap
>>> access_provider = simple
>>> enumerate = true
>>> auth_provider = krb5
>>> chpass_provider = krb5
>>> ldap_sasl_mech = gssapi
>>> ldap_sasl_authid = exfile01$@AD.EXAMPLE.COM
>>> krb5_realm = AD.EXAMPLE.COM
>>> krb5_server = ad.example.com
>>> krb5_kpasswd = ad.example.com
>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>> ldap_krb5_init_creds = true
>>>
>>> ldap_referrals = false
>>> ldap_uri = ldap://ad.example.com
>>> ldap_search_base = dc=ad,dc=example,dc=com
>>>
>>> dyndns_update=false
>>>
>>> ldap_id_mapping=false
>>>
>>> ldap_user_object_class = user
>>> ldap_user_name = samAccountName
>>> ldap_user_uid_number = uidNumber
>>> ldap_user_gid_number = gidNumber
>>> ldap_user_home_directory = unixHomeDirectory
>>> ldap_user_shell = loginShell
>>>
>>> ldap_group_object_class = group
>>> ldap_group_name = cn
>>> ldap_group_member = member
>>>
>>> But when I start sssd I get:
>>>
>>> Jan 26 14:31:22 exfile01 sssd_be: GSSAPI Error: Unspecified GSS
>>> failure.  Minor code may provide more information (Server not found in
>>> Kerberos database)
>>>
>>> My krb5.conf looks like:
>>> [libdefaults]
>>>    default_realm = AD.IRPRUBBER.COM
>>>    dns_lookup_realm = false
>>>    dns_lookup_kdc = true
>>>    #rdns = false
>>>
>>> I tried with and without rdns=false. Then I fixed forward/reverse for
>>> the host so they were identical. No luck :(
>>>
>>> I'm stumped - anyone know where to go from here?
>> You have mixed up the old pre 0.10.0 versions of sssd with the new. You
>> have taken bits of the config from both parts. Stick to one or the
>> other. I'd strongly recommend v1.11.3 but if you only have the old
>> version then stick with the first config with the rfc2307bis schema
>> which is detailed in the howto link you posted.
>>
>> To answer your specific question:
>> You have exported the keytab correctly, but then don't bother to use it!
>> None of the following are present to tell sssd where to look:
>>
>> ldap_sasl_mech = gssapi
>> ldap_sasl_authid = exfile01$
>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>
>> HTH
>> Steve
>>
>>
>>
> Hi Steve, would you like to borrow my glasses? ;-)
> All three lines are in the sssd.conf that the OP posted.
>
> Why not download the sssd source rpm package for f20 and create an el6 
> rpm from that, if that can be made to work and you export the keytab 
> to /etc/krb5.keytab, you only need this in sssd.conf:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = example.com
>
> [nss]
>
> [pam]
>
> [domain/example.com]
> enumerate = false
> cache_credentials = true
> ldap_id_mapping = false
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> A lot easier ;-)
>
> Rowland
OK, forget what I said about creating an 1.11 rpm, I remembered that I 
had a Centos 6.4 client VM, so I started this and updated it. Now this 
is using the standard s3 packages, but I installed and set up sssd as 
per this wiki page: 
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

The version of sssd that yum installed was 1.9.2 and this was the 
sssd.conf I used:

[sssd]
services = nss, pam
config_file_version = 2
domains = example.com

[nss]

[pam]

[domain/example.com]
enumerate = true
cache_credentials = true
ldap_id_mapping = false
ldap_schema = ad
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

Note how different the conf file is from the one on the wikipage and the 
total lack of any real configuration other than the realm name.

With this setup and RFC2307 attributes, getent pulls the users & groups 
that have the required RFC2307 attributes.

As I said this was running as a client, but I have no reason to 
disbelieve that it would not work on a samba4 server.

Rowland

More information about the samba mailing list