[Samba] sssd problems after dc1 is no longer online

steve steve at steve-ss.com
Thu Jul 24 08:19:23 MDT 2014


On Thu, 2014-07-24 at 11:23 +0200, mourik jan heupink - merit wrote:
> Hi Steve,
> 
> Thanks for your reply.
> 
> >
> > Hi
> > 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve
> > properly, use the fqdn.
> I was doing that first, changed to ip's in the hope that it would work 
> better, but it didn't.
> 
> >>
> >> ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
> >> ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu
> > For AD objects, this doesn't make sense. This domain does not correspond
> > to anything in your realm. I could believe:
> > ldap_search_base = cn=Users,dc=samba,dc=company,dc=com
> > but I see no connection with samba.merit.unu.edu
> > But it's late, too hot and everyone else has gone for a beer so we may
> > well have missed something earlier in the thread.
> Apologies: the dc=merit,dc=unu,dc=edu is my real search base, which I 
> changed to dc=samba,dc=company,dc=com to make it more 'general'. I 
> missed that line, my apologies.
> 
> 
> > Maybe, but for AD I'd really recommend switching to sssd with a proper
> > AD backend whwreupon you can forget about DNS. All the 1.11 series have
> > it, as does the latest 1.12.0. the configuration is simple and when the
> > cache is full it absolutely screams:
> However, I'm at debian wheezy on this machine, so I'd have to compile 
> sssd myself. That doesn't worry me, but the fact that I'd have to 
> manually fiddle around with pam scares me a bit.
> 
> And also: it used to work perfectly, and stopped working after the dc1 
> was taken offline.
> 
> Do these three lines line tell you something:
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sdap_get_tgt_recv] 
> (0x0400): Child responded: 0 
> [FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406223917]
> 
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
> (0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM
> 
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
> (0x0020): ldap_sasl_bind failed (-2)[Local error]
> 
> I have now also spent an hour now to do it the winbind way and forget 
> sssd, but also there are some issues: wbinfo rerturns all users/groups, 
> but getent passwd/group does not. All users/groups have 
> uidNumber/gidNumber, and the ranges in smb.conf match.
> 
> There has been a discussion here, that looks exactly like my problems 
> now: http://marc.info/?l=samba&m=140603869320108&w=2
> 
> Sow...sssd doesn't work, winbind doesn't work... yet my AD works, users 
> can logon, quickly.
> 
> Any reason to believe that a recent self-compiled sssd would work?
> 
> This is getting slightly frustrating. :-)

Just a quick test (we'll have a closer look later):
stop sssd
rm /var/lib/sss/db/*
start sssd

You sure you have the MACHINE$ (or some other domain key: perhaps an
unprivileged user) in your sssd keytab?
Steve




More information about the samba mailing list