[Samba] sssd problems after dc1 is no longer online
Rowland Penny
rowlandpenny at googlemail.com
Thu Jul 24 05:02:52 MDT 2014
On 24/07/14 11:37, mourik jan heupink - merit wrote:
>> To me, it looks like your kerberos ticket has expired, but there appears
>> to be a problem finding the kdc, what do you have in krb5.conf and
>> sssd.conf ?
>
> root at epo:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = SAMBA.COMPANY.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> root at epo:~#
Same as on my laptop
>
> root at epo:~# kinit heupink
> Password for heupink at SAMBA.COMPANY.COM
> root at epo:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: heupink at SAMBA.COMPANY.COM
>
> Valid starting Expires Service principal
> 24/07/2014 12:14 24/07/2014 22:14
> krbtgt/SAMBA.MERIT.UNU.EDU at SAMBA.COMPANY.COM
> renew until 25/07/2014 12:14
> root at epo:~#
>
That seems to belong to the root user, mine is:
rowland at ThinkPad ~ $ klist
Ticket cache: FILE:/tmp/krb5cc_10000_gdM7Fo
Default principal: rowland at EXAMPLE.COM
Valid starting Expires Service principal
24/07/14 11:41:57 24/07/14 21:41:57 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 25/07/14 11:41:51
> Then sssd.conf, as I had it:
>
> root at epo:~# cat /etc/sssd/sssd.conf
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = default
>
> # enable or disable the below
> # debug_level = 3
> # debug_level = 5
> debug_level = 8
> [nss]
>
> [pam]
>
> [domain/default]
> debug_level = 8
> ad_hostname = epo.samba.company.com
> ad_server = dc2.samba.company.com
> ad_domain = samba.company.com
>
> ldap_schema = rfc2307bis
> id_provider = ldap
> access_provider = simple
>
> # on large directories, you may want to disable enumeration for
> performance reas ons
> enumerate = true
>
> auth_provider = krb5
> chpass_provider = krb5
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM
> krb5_realm = SAMBA.COMPANY.COM
> krb5_server = dc2.samba.company.com
> krb5_kpasswd = dc2.samba.company.com
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> ldap_krb5_init_creds = true
>
> ldap_referrals = false
> ldap_uri = ldap://dc2.samba.company.com
> ldap_search_base = CN=Users,DC=samba,DC=company,DC=com
>
> dyndns_update=false
>
> ldap_id_mapping=false
>
> ldap_user_object_class = user
> ldap_user_name = samAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
>
> ldap_group_object_class = group
> ldap_group_name = cn
> ldap_group_member = member
> root at epo:~#
>
This is what is on my working laptop:
sudo cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam, sudo
[nss]
[pam]
[sudo]
[domain/example.com]
description = AD domain with Samba 4 server
cache_credentials = true
ldap_schema = rfc2307bis
id_provider = ldap
access_provider = ldap
enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = THINKPAD$@EXAMPLE.COM
krb5_realm = EXAMPLE.COM
krb5_server = dc1.home.lan
krb5_kpasswd = dc1.home.lan
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
sudo_provider = ldap
ldap_referrals = false
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_sudo_search_base = ou=sudoers,dc=home,dc=lan
> root at epo:~# klist -k /etc/krb5.sssd.keytab '
> Keytab name: FILE:/etc/krb5.sssd.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 2 EPO$@SAMBA.COMPANY.COM
> 2 EPO$@SAMBA.COMPANY.COM
> 2 EPO$@SAMBA.COMPANY.COM
>
> root at epo:/etc/sssd# kinit -k -t /etc/krb5.sssd.keytab
> 'EPO$@SAMBA.COMPANY.COM'
>
> root at epo:/etc/sssd# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: EPO$@SAMBA.COMPANY.COM
>
> Valid starting Expires Service principal
> 24/07/2014 12:27 24/07/2014 22:27
> krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
> renew until 25/07/2014 12:27
> root at epo:/etc/sssd#
>
> Keytab was exported today, using samba-tool domain exportkeytab
> ./krb5.sssd.keytab --principal=EPO$
>
I do not use a separate keytab, I just use the std /etc/krb5.keytab
> So.... where does this go wrong? The above seems to me, that it CAN
> find a kdc..?
>
Try my setup, it works for me ;-)
Rowland
> Thanks for your time!
> MJ
>
>
>>
>>> I have now also spent an hour now to do it the winbind way and forget
>>> sssd, but also there are some issues: wbinfo rerturns all
>>> users/groups, but getent passwd/group does not. All users/groups have
>>> uidNumber/gidNumber, and the ranges in smb.conf match.
>>>
>>
>> Could you post the smb.conf that you are trying to use with winbind ?
>>
>>> There has been a discussion here, that looks exactly like my problems
>>> now: http://marc.info/?l=samba&m=140603869320108&w=2
>>>
>>> Sow...sssd doesn't work, winbind doesn't work... yet my AD works,
>>> users can logon, quickly.
>>>
>> sssd should work, winbind should work and if by users you mean windows
>> users, then they will be going direct to the AD DC for authentication.
>>
>> Rowland
>>
>>> Any reason to believe that a recent self-compiled sssd would work?
>>>
>>> This is getting slightly frustrating. :-)
>>
More information about the samba
mailing list