[Samba] sssd problems after dc1 is no longer online
mourik jan heupink - merit
heupink at merit.unu.edu
Fri Jul 25 04:52:50 MDT 2014
Ok, I understand. I see now:
root at epo:/var/log/sssd# kinit heupink
Password for heupink at SAMBA.COMPANY.COM:
root at epo:/var/log/sssd# ldapsearch -Y GSSAPI -H ldap://dc2.company.com
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Server not found
in Kerberos database)
root at epo:/var/log/sssd#
So indeed: the same local error. So what I'm facing is not sssd
specific, but more general. Searching the above error reveals that:
"The error “Server not found in Kerberos database” is common and can be
misleading because it often appears when the service principal is not
missing. The error can be caused by domain/realm mapping problems or it
can be the result of a DNS problem where the service principal name is
not being built correctly. Server logs and network traces can be used to
determine what service principal is actually being requested."
And as I said earlier: we still have some outstanding AD dns issues,
because of the removal of DC1. I am discussing those with sernet
support. Hopefully, once we get that sorted, this will be fixed as well.
Thank you very much for your patience, Rowland and Steve!
> What I was trying to get at was, as far as sssd is concerned, the two
> machines are offline, one because the sasl bind fails and the other
> because sssd cannot find it. I would also think that even if sssd could
> find the second machine the sasl bind would fail, just like the first.
More information about the samba