[Samba] sssd problems after dc1 is no longer online
mourik jan heupink - merit
heupink at merit.unu.edu
Thu Jul 24 03:23:25 MDT 2014
Hi Steve,
Thanks for your reply.
>
> Hi
> 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve
> properly, use the fqdn.
I was doing that first, changed to ip's in the hope that it would work
better, but it didn't.
>>
>> ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
>> ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu
> For AD objects, this doesn't make sense. This domain does not correspond
> to anything in your realm. I could believe:
> ldap_search_base = cn=Users,dc=samba,dc=company,dc=com
> but I see no connection with samba.merit.unu.edu
> But it's late, too hot and everyone else has gone for a beer so we may
> well have missed something earlier in the thread.
Apologies: the dc=merit,dc=unu,dc=edu is my real search base, which I
changed to dc=samba,dc=company,dc=com to make it more 'general'. I
missed that line, my apologies.
> Maybe, but for AD I'd really recommend switching to sssd with a proper
> AD backend whwreupon you can forget about DNS. All the 1.11 series have
> it, as does the latest 1.12.0. the configuration is simple and when the
> cache is full it absolutely screams:
However, I'm at debian wheezy on this machine, so I'd have to compile
sssd myself. That doesn't worry me, but the fact that I'd have to
manually fiddle around with pam scares me a bit.
And also: it used to work perfectly, and stopped working after the dc1
was taken offline.
Do these three lines line tell you something:
(Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sdap_get_tgt_recv]
(0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406223917]
(Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send]
(0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM
(Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
I have now also spent an hour now to do it the winbind way and forget
sssd, but also there are some issues: wbinfo rerturns all users/groups,
but getent passwd/group does not. All users/groups have
uidNumber/gidNumber, and the ranges in smb.conf match.
There has been a discussion here, that looks exactly like my problems
now: http://marc.info/?l=samba&m=140603869320108&w=2
Sow...sssd doesn't work, winbind doesn't work... yet my AD works, users
can logon, quickly.
Any reason to believe that a recent self-compiled sssd would work?
This is getting slightly frustrating. :-)
More information about the samba
mailing list