[Samba] sssd problems after dc1 is no longer online

mourik jan heupink - merit heupink at merit.unu.edu
Fri Jul 25 04:52:50 MDT 2014


Ok, I understand. I see now:

root at epo:/var/log/sssd# kinit heupink
Password for heupink at SAMBA.COMPANY.COM:
root at epo:/var/log/sssd# ldapsearch -Y GSSAPI -H ldap://dc2.company.com 
-b dc=samba,dc=company,dc=com
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Server not found 
in Kerberos database)
root at epo:/var/log/sssd#

So indeed: the same local error. So what I'm facing is not sssd 
specific, but more general. Searching the above error reveals that:

"The error “Server not found in Kerberos database” is common and can be 
misleading because it often appears when the service principal is not 
missing. The error can be caused by domain/realm mapping problems or it 
can be the result of a DNS problem where the service principal name is 
not being built correctly. Server logs and network traces can be used to 
determine what service principal is actually being requested."

(from http://technet.microsoft.com/en-us/library/bb463167.aspx)

And as I said earlier: we still have some outstanding AD dns issues, 
because of the removal of DC1. I am discussing those with sernet 
support. Hopefully, once we get that sorted, this will be fixed as well.

Thank you very much for your patience, Rowland and Steve!

Mourik Jan

> What I was trying to get at was, as far as sssd is concerned, the two
> machines are offline, one because the sasl bind fails and the other
> because sssd cannot find it. I would also think that even if sssd could
> find the second machine the sasl bind would fail, just like the first.
>   Rowland

More information about the samba mailing list