On 30/08/13 17:15, steve wrote:
On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
On 30/08/13 15:48, Luca Olivetti wrote:
Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am typing this on and it works,
you just need the krb5.keytab that I told you how to create earlier.
That was
/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator
Hi
This command dumps the _whole_ of the database to the keytab, so you
must choose which key you are going to use for:
ldap_sasl_authid
If you really do need al the keys there then could you send us a
santised dump of the keytab so we can decide a good key to use? And more
importantly one which is definitely present?
klist -k /etc/krb5.keytab
It is generally recommended to only dump the keys you need.
Hi Steve, lets just get something to work for the OP first.
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
trying to select the most appropriate principal from keytab
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching [email protected] found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching [email protected] found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching host/[email protected] found in keytab.
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
Selected principal: [email protected]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [[email protected]]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [default]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
successfully
[sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
finished
[sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
[sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: GSSAPI, user: (null)
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in
Kerberos database)]
Where did you get samba4 from, did you compile it yourself? what
version? what OS are you using, if you did compile it yourself, what
packages did you install before compiling.
Note that I get the last error even if I add
ldap_sasl_authid = Administrator
Have you dumped the Administrator key to the keytab? If it isn't in the
keytab it's not going to find a match either. Why not simply choose
something which you _do_ have?
ldap_sasl_mech = gssapi
ldap_sasl_authid = something.you.do.have.in.the.keytab
ldap_krb5_keytab = /etc/krb5.keytab
HTH to get us closer.
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
