[Samba] sssd problems after dc1 is no longer online
steve
steve at steve-ss.com
Thu Jul 24 08:19:23 MDT 2014
On Thu, 2014-07-24 at 11:23 +0200, mourik jan heupink - merit wrote:
> Hi Steve,
>
> Thanks for your reply.
>
> >
> > Hi
> > 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve
> > properly, use the fqdn.
> I was doing that first, changed to ip's in the hope that it would work
> better, but it didn't.
>
> >>
> >> ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
> >> ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu
> > For AD objects, this doesn't make sense. This domain does not correspond
> > to anything in your realm. I could believe:
> > ldap_search_base = cn=Users,dc=samba,dc=company,dc=com
> > but I see no connection with samba.merit.unu.edu
> > But it's late, too hot and everyone else has gone for a beer so we may
> > well have missed something earlier in the thread.
> Apologies: the dc=merit,dc=unu,dc=edu is my real search base, which I
> changed to dc=samba,dc=company,dc=com to make it more 'general'. I
> missed that line, my apologies.
>
>
> > Maybe, but for AD I'd really recommend switching to sssd with a proper
> > AD backend whwreupon you can forget about DNS. All the 1.11 series have
> > it, as does the latest 1.12.0. the configuration is simple and when the
> > cache is full it absolutely screams:
> However, I'm at debian wheezy on this machine, so I'd have to compile
> sssd myself. That doesn't worry me, but the fact that I'd have to
> manually fiddle around with pam scares me a bit.
>
> And also: it used to work perfectly, and stopped working after the dc1
> was taken offline.
>
> Do these three lines line tell you something:
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sdap_get_tgt_recv]
> (0x0400): Child responded: 0
> [FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406223917]
>
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send]
> (0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM
>
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send]
> (0x0020): ldap_sasl_bind failed (-2)[Local error]
>
> I have now also spent an hour now to do it the winbind way and forget
> sssd, but also there are some issues: wbinfo rerturns all users/groups,
> but getent passwd/group does not. All users/groups have
> uidNumber/gidNumber, and the ranges in smb.conf match.
>
> There has been a discussion here, that looks exactly like my problems
> now: http://marc.info/?l=samba&m=140603869320108&w=2
>
> Sow...sssd doesn't work, winbind doesn't work... yet my AD works, users
> can logon, quickly.
>
> Any reason to believe that a recent self-compiled sssd would work?
>
> This is getting slightly frustrating. :-)
Just a quick test (we'll have a closer look later):
stop sssd
rm /var/lib/sss/db/*
start sssd
You sure you have the MACHINE$ (or some other domain key: perhaps an
unprivileged user) in your sssd keytab?
Steve
More information about the samba
mailing list