[Samba] samba4+sssd+centos6

Fri, 10 Aug 2012 13:51:54 -0700 

In need of some help here. I hope I haven't trimmed this too much.
As I mentioned before, I have a CentOS 6.3 system using SSSD (only) bound to the samba4 DC as an LDAP server using the following in sssd.conf: 

[domain/SAMBA]
        ldap_default_bind_dn = CN=Administrator,CN=Users,DC=...
        ldap_default_authtok = <supersecret>
        ldap_default_authtok_type = password
        ...
and everything works as expected (dns, kinit, passwd, etc are all good). Samba is not in use on the client. There are no Windows servers.
To avoid the need to embded the admin password, I have proceeded as follows: 

* Joined the client to the  domain, creating an appropriate UPN (client is
  using Samba 3.5.10):

        # kinit Administrator
        # net ads join <domain> createupn=host/<client>@<REALM> -k

  where <client> is the (short) client hostname, and <REALM> is of course
  the uppercase kerberos realm name. This succeeds. I can see the
  appropriate CN=<client>,CN=Computers,... entry appear in the DC
  database, and the userPrincipalName entry therein is correct.

* On the DC, extract the keytab:

        # samba-tool domain exportkeytab client.keytab --princ=host/client@REALM

  and this also works. The client.keytab is transferred to the client and
  installed as /etc/krb5.keytab with the proper ownership and permissions.

* On the client, verify the keytab:

        # klist -k /etc/krb5.keytab
        Keytab name: WRFILE:/etc/krb5.keytab
        KVNO Principal
        
--------------------------------------------------------------------------
           1 host/<client>@<REALM>
           1 host/<client>@<REALM>
           1 host/<client>@<REALM>

* On the client, change the three ldap_default_ lines to:

        ldap_sasl_mech = GSSAPI
        ldap_sasl_authid = host/<client>@<REALM>

  and restart sssd.
The result: nothing. I can no longer (getent passwd user) see any users or groups; basically nothing works. I get this in /var/log/messages: 

Aug 10 15:58:47 <client> sssd_be: GSSAPI Error: Unspecified GSS failure.
        Minor code may provide more information (Server not found in Kerberos
        database)
and I really do not know what this is trying to tell me, as so far as I know the kerberos database is fine. Please, someone give me a clue! TIA, 

Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to