On Fri, 2013-08-30 at 18:42 +0200, Luca Olivetti wrote: > Al 30/08/13 18:15, En/na steve ha escrit: > > On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote: > >> On 30/08/13 15:48, Luca Olivetti wrote: > >>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit: > >>> > >>>> OK, try this sssd.conf that I have altered for your setup, it is based > >>>> on the sssd.conf on the machine that I am typing this on and it works, > >>>> you just need the krb5.keytab that I told you how to create earlier. > >>> That was > >>> > >>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U > >>> Administrator > >>> > >> > > > > Hi > > This command dumps the _whole_ of the database to the keytab, so you > > must choose which key you are going to use for: > > ldap_sasl_authid > > Oops, I was just following instructions :-/ > I promise that, when everything is working, I'll read all the relevant > manpages (I usually do it _before_ blindly typing what's been suggested, > but...) > ;-) > > > > > If you really do need al the keys there then could you send us a > > santised dump of the keytab so we can decide a good key to use? And more > > importantly one which is definitely present? > > > > klist -k /etc/krb5.keytab > > > > It is generally recommended to only dump the keys you need. > > Which it does with the --principal option, yes? > (but, as I just learned, each command *adds* to the keytab, so I have to > delete the file first). > BTW, if I use --principal=nslcd-connect it is listed 3 times: > > # klist -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 [email protected] > 1 [email protected] > 1 [email protected] >
Fine. We can now say that nscld is both in the keytab and in the databas on the DC (otherwise it wouldn't have dumped the key there) You have 3 entries corresponding to different encryption types. Use: klist -ke to see which they are. You don't need to know though. > > > > Have you dumped the Administrator key to the keytab? If it isn't in the > > keytab it's not going to find a match either. Why not simply choose > > something which you _do_ have? > > > > ldap_sasl_mech = gssapi > > ldap_sasl_authid = something.you.do.have.in.the.keytab > > ldap_krb5_keytab = /etc/krb5.keytab > > Again, I was following suggestions, anyway, both with -U and with > --principal=nslcd-connect I was using an ldap_sasl_authid that was in > the keytab (as per keytab -k), but the error is the same: > > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind > mech: GSSAPI, user: nslcd-connect > [sssd[nss]] [client_recv] (0x0200): Client disconnected! > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed > (-2)[Local error] > [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure > message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Server not found in > Kerberos database)] > > > > HTH to get us closer. > > I cannot thank you enough, but I feel I'm not getting any closer :-( Bueno, a ver: We can say for certain that /etc/krb5.keytab contains the key for nslcd-connect make sure you have: ldap_sasl_mech = gssapi ldap_sasl_authid = [email protected] ldap_krb5_keytab = /etc/krb5.keytab (note, I think you had a different keytab in an older post. Lose it.) Next, can you resolve the kerberos SRV record: host -t SRV _kerberos._udp.dc1.wetron.es. What do you have for /etc/krb5.conf What does: sssd --version give? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
