On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: > On 30/08/13 15:48, Luca Olivetti wrote: > > Al 30/08/13 11:41, En/na Rowland Penny ha escrit: > > > >> OK, try this sssd.conf that I have altered for your setup, it is based > >> on the sssd.conf on the machine that I am typing this on and it works, > >> you just need the krb5.keytab that I told you how to create earlier. > > That was > > > > /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U > > Administrator > > >
Hi This command dumps the _whole_ of the database to the keytab, so you must choose which key you are going to use for: ldap_sasl_authid If you really do need al the keys there then could you send us a santised dump of the keytab so we can decide a good key to use? And more importantly one which is definitely present? klist -k /etc/krb5.keytab It is generally recommended to only dump the keys you need. > > [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200): > > trying to select the most appropriate principal from keytab > > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No > > principal matching template.wetron...@wetron.es found in keytab. > > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No > > principal matching TEMPLATE$@WETRON.ES found in keytab. > > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No > > principal matching host/template.wetron...@wetron.es found in keytab. > > [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200): > > Selected principal: dept-66f575a885$@WETRON.ES > > [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal > > name is: [dept-66f575a885$@WETRON.ES] > > [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using > > keytab [default] > > [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will > > canonicalize principals > > [[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building > > response for result [0] > > [[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed > > successfully > > [sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client > > finished > > [sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 > > [FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906] > > [sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind > > mech: GSSAPI, user: (null) > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed > > (-2)[Local error] > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure > > message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > > failure. Minor code may provide more information (Server not found in > > Kerberos database)] > > > Where did you get samba4 from, did you compile it yourself? what > version? what OS are you using, if you did compile it yourself, what > packages did you install before compiling. > > > Note that I get the last error even if I add > > > > ldap_sasl_authid = Administrator > > Have you dumped the Administrator key to the keytab? If it isn't in the keytab it's not going to find a match either. Why not simply choose something which you _do_ have? ldap_sasl_mech = gssapi ldap_sasl_authid = something.you.do.have.in.the.keytab ldap_krb5_keytab = /etc/krb5.keytab HTH to get us closer. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
