[Samba] sssd problems after dc1 is no longer online

mourik jan heupink - merit heupink at merit.unu.edu
Thu Jul 24 03:23:25 MDT 2014

Hi Steve,

Thanks for your reply.

> Hi
> 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve
> properly, use the fqdn.
I was doing that first, changed to ip's in the hope that it would work 
better, but it didn't.

>> ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
>> ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu
> For AD objects, this doesn't make sense. This domain does not correspond
> to anything in your realm. I could believe:
> ldap_search_base = cn=Users,dc=samba,dc=company,dc=com
> but I see no connection with samba.merit.unu.edu
> But it's late, too hot and everyone else has gone for a beer so we may
> well have missed something earlier in the thread.
Apologies: the dc=merit,dc=unu,dc=edu is my real search base, which I 
changed to dc=samba,dc=company,dc=com to make it more 'general'. I 
missed that line, my apologies.

> Maybe, but for AD I'd really recommend switching to sssd with a proper
> AD backend whwreupon you can forget about DNS. All the 1.11 series have
> it, as does the latest 1.12.0. the configuration is simple and when the
> cache is full it absolutely screams:
However, I'm at debian wheezy on this machine, so I'd have to compile 
sssd myself. That doesn't worry me, but the fact that I'd have to 
manually fiddle around with pam scares me a bit.

And also: it used to work perfectly, and stopped working after the dc1 
was taken offline.

Do these three lines line tell you something:
(Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sdap_get_tgt_recv] 
(0x0400): Child responded: 0 
[FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406223917]

(Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
(0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM

(Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
(0x0020): ldap_sasl_bind failed (-2)[Local error]

I have now also spent an hour now to do it the winbind way and forget 
sssd, but also there are some issues: wbinfo rerturns all users/groups, 
but getent passwd/group does not. All users/groups have 
uidNumber/gidNumber, and the ranges in smb.conf match.

There has been a discussion here, that looks exactly like my problems 
now: http://marc.info/?l=samba&m=140603869320108&w=2

Sow...sssd doesn't work, winbind doesn't work... yet my AD works, users 
can logon, quickly.

Any reason to believe that a recent self-compiled sssd would work?

This is getting slightly frustrating. :-)

More information about the samba mailing list