[Samba] sssd problems after dc1 is no longer online

Rowland Penny rowlandpenny at googlemail.com
Fri Jul 25 02:37:51 MDT 2014

On 24/07/14 10:23, mourik jan heupink - merit wrote:
> Hi Steve,
> Thanks for your reply.
>> Hi
>> 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve
>> properly, use the fqdn.
> I was doing that first, changed to ip's in the hope that it would work 
> better, but it didn't.
>>> ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16
>>> ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu
>> For AD objects, this doesn't make sense. This domain does not correspond
>> to anything in your realm. I could believe:
>> ldap_search_base = cn=Users,dc=samba,dc=company,dc=com
>> but I see no connection with samba.merit.unu.edu
>> But it's late, too hot and everyone else has gone for a beer so we may
>> well have missed something earlier in the thread.
> Apologies: the dc=merit,dc=unu,dc=edu is my real search base, which I 
> changed to dc=samba,dc=company,dc=com to make it more 'general'. I 
> missed that line, my apologies.
>> Maybe, but for AD I'd really recommend switching to sssd with a proper
>> AD backend whwreupon you can forget about DNS. All the 1.11 series have
>> it, as does the latest 1.12.0. the configuration is simple and when the
>> cache is full it absolutely screams:
> However, I'm at debian wheezy on this machine, so I'd have to compile 
> sssd myself. That doesn't worry me, but the fact that I'd have to 
> manually fiddle around with pam scares me a bit.
> And also: it used to work perfectly, and stopped working after the dc1 
> was taken offline.
> Do these three lines line tell you something:
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sdap_get_tgt_recv] 
> (0x0400): Child responded: 0 
> [FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406223917]
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
> (0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM
> (Thu Jul 24 09:45:17 2014) [sssd[be[default]]] [sasl_bind_send] 
> (0x0020): ldap_sasl_bind failed (-2)[Local error]
> I have now also spent an hour now to do it the winbind way and forget 
> sssd, but also there are some issues: wbinfo rerturns all 
> users/groups, but getent passwd/group does not. All users/groups have 
> uidNumber/gidNumber, and the ranges in smb.conf match.
> There has been a discussion here, that looks exactly like my problems 
> now: http://marc.info/?l=samba&m=140603869320108&w=2
> Sow...sssd doesn't work, winbind doesn't work... yet my AD works, 
> users can logon, quickly.
> Any reason to believe that a recent self-compiled sssd would work?
> This is getting slightly frustrating. :-)
OK, I finally got around to reading the sssd logfile you uploaded to 
pastebin and found this:

     (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sasl_bind_send] 
(0x0100): Executing sasl bind mech: gssapi, user: EPO$@SAMBA.COMPANY.COM
     (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sasl_bind_send] 
(0x0020): ldap_sasl_bind failed (-2)[Local error]
     (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [fo_set_port_status] 
(0x0100): Marking port 389 of server 'x.y.143.15' as 'not working'

     (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] 
[be_resolve_server_done] (0x0200): Found address for server x.y.143.16: 
[x.y.143.16] TTL 7200
     (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sdap_uri_callback] 
(0x0400): Constructed uri 'ldap://x.y.143.16'
     (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sss_ldap_init_send] 
(0x0400): Setting 6 seconds timeout for connecting
     (Wed Jul 23 21:04:47 2014) [sssd[be[default]]] 
[sdap_async_sys_connect_done] (0x0020): connect failed [113][No route to 
     (Wed Jul 23 21:04:47 2014) [sssd[be[default]]] [fo_set_port_status] 
(0x0100): Marking port 389 of server 'x.y.143.16' as 'not working'

I have removed a few lines for clarity, but it would seem that sssd 
cannot bind to x.y.143.15 and it cannot find x.y.143.16.

If you go further down in the log it shows that both servers are 
offline, so I think before you go any further that these problems need 
to be fixed.

What is in /etc/krb5.conf and /etc/resolv.conf on the client ?


More information about the samba mailing list