[Samba] sssd problems after dc1 is no longer online

mourik jan heupink - merit heupink at merit.unu.edu
Fri Jul 25 05:36:22 MDT 2014 

Wow... solved!!

After more reading from the list, I found this post:
http://marc.info/?l=samba&m=139290056418073&w=2

And after I
apt-get remove libsasl2-modules-gssapi-mit
and
apt-get install  libsasl2-modules-gssapi-heimdal

things suddenly started working!!

Still very strange that everything has always worked in the days DC1 was 
still online, and this problem only started happening once the DC1 was 
taken offline.

Anyway: so happy now. :-)

Thanking the list members for their patient help, and wishing all a nice 
and stable weekend!

Mourik Jan

On 07/25/2014 12:52 PM, mourik jan heupink - merit wrote:
> Hi,
>
> Ok, I understand. I see now:
>
> root at epo:/var/log/sssd# kinit heupink
> Password for heupink at SAMBA.COMPANY.COM:
> root at epo:/var/log/sssd# ldapsearch -Y GSSAPI -H ldap://dc2.company.com
> -b dc=samba,dc=company,dc=com
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>      additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information
> (Server not found in Kerberos database)
> root at epo:/var/log/sssd#
>
> So indeed: the same local error. So what I'm facing is not sssd
> specific, but more general. Searching the above error reveals that:
>
> "The error “Server not found in Kerberos database” is common and can be
> misleading because it often appears when the service principal is not
> missing. The error can be caused by domain/realm mapping problems or it
> can be the result of a DNS problem where the service principal name is
> not being built correctly. Server logs and network traces can be used to
> determine what service principal is actually being requested."
>
> (from http://technet.microsoft.com/en-us/library/bb463167.aspx)
>
> And as I said earlier: we still have some outstanding AD dns issues,
> because of the removal of DC1. I am discussing those with sernet
> support. Hopefully, once we get that sorted, this will be fixed as well.
>
> Thank you very much for your patience, Rowland and Steve!
>
> Regards,
> Mourik Jan
>
>> What I was trying to get at was, as far as sssd is concerned, the two
>> machines are offline, one because the sasl bind fails and the other
>> because sssd cannot find it. I would also think that even if sssd could
>> find the second machine the sasl bind would fail, just like the first.
>>
>>   Rowland

More information about the samba mailing list