[Samba] sssd problems after dc1 is no longer online

Thu Jul 24 04:37:37 MDT 2014

> To me, it looks like your kerberos ticket has expired, but there appears
> to be a problem finding the kdc, what do you have in krb5.conf and
> sssd.conf ?

root at epo:~# cat /etc/krb5.conf
[libdefaults]
         default_realm = SAMBA.COMPANY.COM
         dns_lookup_realm = true
         dns_lookup_kdc = true
root at epo:~#

root at epo:~# kinit heupink
Password for heupink at SAMBA.COMPANY.COM
root at epo:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: heupink at SAMBA.COMPANY.COM

Valid starting    Expires           Service principal
24/07/2014 12:14  24/07/2014 22:14 
krbtgt/SAMBA.MERIT.UNU.EDU at SAMBA.COMPANY.COM
         renew until 25/07/2014 12:14
root at epo:~#

Then sssd.conf, as I had it:

root at epo:~# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

# enable or disable the below
# debug_level = 3
# debug_level = 5
debug_level = 8
[nss]

[pam]

[domain/default]
debug_level = 8
ad_hostname = epo.samba.company.com
ad_server = dc2.samba.company.com
ad_domain = samba.company.com

ldap_schema = rfc2307bis
id_provider = ldap
access_provider = simple

# on large directories, you may want to disable enumeration for 
performance reas 
                      ons
enumerate = true

auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM
krb5_realm = SAMBA.COMPANY.COM
krb5_server = dc2.samba.company.com
krb5_kpasswd = dc2.samba.company.com
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true

ldap_referrals = false
ldap_uri = ldap://dc2.samba.company.com
ldap_search_base = CN=Users,DC=samba,DC=company,DC=com

dyndns_update=false

ldap_id_mapping=false

ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell

ldap_group_object_class = group
ldap_group_name = cn
ldap_group_member = member
root at epo:~#

root at epo:~# klist -k /etc/krb5.sssd.keytab '
Keytab name: FILE:/etc/krb5.sssd.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    2 EPO$@SAMBA.COMPANY.COM
    2 EPO$@SAMBA.COMPANY.COM
    2 EPO$@SAMBA.COMPANY.COM

root at epo:/etc/sssd# kinit -k -t /etc/krb5.sssd.keytab 
'EPO$@SAMBA.COMPANY.COM'

root at epo:/etc/sssd# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: EPO$@SAMBA.COMPANY.COM

Valid starting    Expires           Service principal
24/07/2014 12:27  24/07/2014 22:27 
krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
         renew until 25/07/2014 12:27
root at epo:/etc/sssd#

Keytab was exported today, using  samba-tool domain exportkeytab 
./krb5.sssd.keytab --principal=EPO$

So.... where does this go wrong? The above seems to me, that it CAN find 
a kdc..?

Thanks for your time!
MJ

>
>> I have now also spent an hour now to do it the winbind way and forget
>> sssd, but also there are some issues: wbinfo rerturns all
>> users/groups, but getent passwd/group does not. All users/groups have
>> uidNumber/gidNumber, and the ranges in smb.conf match.
>>
>
> Could you post the smb.conf that you are trying to use with winbind ?
>
>> There has been a discussion here, that looks exactly like my problems
>> now: http://marc.info/?l=samba&m=140603869320108&w=2
>>
>> Sow...sssd doesn't work, winbind doesn't work... yet my AD works,
>> users can logon, quickly.
>>
> sssd should work, winbind should work and if by users you mean windows
> users, then they will be going direct to the AD DC for authentication.
>
> Rowland
>
>> Any reason to believe that a recent self-compiled sssd would work?
>>
>> This is getting slightly frustrating. :-)
>