[Samba] sssd problems after dc1 is no longer online

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 24 03:58:17 MDT 2014

On 24/07/14 10:23, mourik jan heupink - merit wrote:
> Hi Steve,
> Thanks for your reply.
>> Hi
>> 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve
>> properly, use the fqdn.
> I was doing that first, changed to ip's in the hope that it would work 
> better, but it didn't.
>>> ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
>>> ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu
>> For AD objects, this doesn't make sense. This domain does not correspond
>> to anything in your realm. I could believe:
>> ldap_search_base = cn=Users,dc=samba,dc=company,dc=com
>> but I see no connection with samba.merit.unu.edu
>> But it's late, too hot and everyone else has gone for a beer so we may
>> well have missed something earlier in the thread.
> Apologies: the dc=merit,dc=unu,dc=edu is my real search base, which I 
> changed to dc=samba,dc=company,dc=com to make it more 'general'. I 
> missed that line, my apologies.
>> Maybe, but for AD I'd really recommend switching to sssd with a proper
>> AD backend whwreupon you can forget about DNS. All the 1.11 series have
>> it, as does the latest 1.12.0. the configuration is simple and when the
>> cache is full it absolutely screams:
> However, I'm at debian wheezy on this machine, so I'd have to compile 
> sssd myself. That doesn't worry me, but the fact that I'd have to 
> manually fiddle around with pam scares me a bit.
> And also: it used to work perfectly, and stopped working after the dc1 
> was taken offline.
> Do these three lines line tell you something:
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sdap_get_tgt_recv] 
> (0x0400): Child responded: 0 
> [FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406223917]
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
> (0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
> (0x0020): ldap_sasl_bind failed (-2)[Local error]

To me, it looks like your kerberos ticket has expired, but there appears 
to be a problem finding the kdc, what do you have in krb5.conf and 
sssd.conf ?

> I have now also spent an hour now to do it the winbind way and forget 
> sssd, but also there are some issues: wbinfo rerturns all 
> users/groups, but getent passwd/group does not. All users/groups have 
> uidNumber/gidNumber, and the ranges in smb.conf match.

Could you post the smb.conf that you are trying to use with winbind ?

> There has been a discussion here, that looks exactly like my problems 
> now: http://marc.info/?l=samba&m=140603869320108&w=2
> Sow...sssd doesn't work, winbind doesn't work... yet my AD works, 
> users can logon, quickly.
sssd should work, winbind should work and if by users you mean windows 
users, then they will be going direct to the AD DC for authentication.


> Any reason to believe that a recent self-compiled sssd would work?
> This is getting slightly frustrating. :-)

More information about the samba mailing list