[Samba] objectClass:posixAccount missing

[Marc Muehlfeld]

Hello,

I start a new thread, because the other one meanwhile drifted far away
from what the OP asked. :-)


Am 27.08.2013 17:02, schrieb Luca Olivetti:
>> If you provisioned your domain with "--use-rfc2307", then in
>> Win7 ADUC you can see the posixAccount (UNIX Attributes) of
>> the users.
>
> I did a classicupgrade, not a provisioning, and I can see the
> unix attributes of the migrated users, the problem is the error
> message when modifying them and the fact that _new_ users don't
> have a "class: posixAccount" in the directory.


I rechecked this. My test environment was provisioned on 4.0.5 with
"--use-rfc2307" (I'm sure I did, because without that option, you also
doesn't have the cn=ypServ30,cn=RpcServices,cn=System,... subtree).

And I can confirm that new users doesn't get the
"objectclass:posixAccount" entry. Also new added groups doesn't have
"objectclass:posixGroup".

The "unix attributes" tab in ADUC (W7) is there and works fine on users.
On groups I can set values. But if I re-open this tab again, I get
"Unwilling to perform".

Does anybody have an idea on that? Do posixAccount/posixGroup
objectClasses have to be there normally?



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[steve]

On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:

> Do posixAccount/posixGroup
> objectClasses have to be there normally?

No. With the AD schema, you can use all of rfc2307 without the need for
the objectclassed which define them. Just add the attributes.
HTH
Steve

[Luca Olivetti]

Al 27/08/13 20:46, En/na steve ha escrit:

> On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:
>
>> Do posixAccount/posixGroup
>> objectClasses have to be there normally?
>
> No. With the AD schema, you can use all of rfc2307 without the need for
> the objectclassed which define them. Just add the attributes.

But then nslcd doesn't see them (and, yes, I removed the filters you
talked about in your previous message, I will worry later about sasl):

pagesize 1000
referrals off

map passwd homeDirectory UnixHomeDirectory
map passwd uid samAccountName

uid nslcd
gid ldap

uri ldap://127.0.0.1:389
base cn=Users,dc=wetron,dc=es #also tried dc=wetron,dc=es

binddn cn=nslcd-connect,cn=Users,dc=wetron,dc=es
bindpw -------

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Rowland Penny]

On 27/08/13 19:56, Luca Olivetti wrote:
> Al 27/08/13 20:46, En/na steve ha escrit:
>> On Tue, 2013-08-27 at 20:11 +0200, Marc Muehlfeld wrote:
>>
>>> Do posixAccount/posixGroup
>>> objectClasses have to be there normally?
>> No. With the AD schema, you can use all of rfc2307 without the need for
>> the objectclassed which define them. Just add the attributes.
> But then nslcd doesn't see them (and, yes, I removed the filters you
> talked about in your previous message, I will worry later about sasl):

If nslcd needs the posix objectclasses, then that is their bug, windows
does not use them so Samba 4 doesn't either.

>
> pagesize 1000
> referrals off
>
> map passwd homeDirectory UnixHomeDirectory
> map passwd uid samAccountName
>
> uid nslcd
> gid ldap
>
> uri ldap://127.0.0.1:389
> base cn=Users,dc=wetron,dc=es #also tried dc=wetron,dc=es
>
> binddn cn=nslcd-connect,cn=Users,dc=wetron,dc=es
> bindpw -------
>
> Bye

Have you tried 'uri ldap://<servers FQDN>:389 ?

Rowland

[Gary Greene]

If you set it up with '--use-rfc2307', nslcd needs configured as though it is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional classes to the AD member objects, even in an SFU environment.

--
Gary L. Greene, Jr.
Sr. Systems Administrator
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633


________________________________________
From: samba-...@lists.samba.org [samba-...@lists.samba.org] on behalf of Rowland Penny [rowlan...@googlemail.com]
Sent: Tuesday, August 27, 2013 02:02 PM
To: sa...@lists.samba.org
Subject: Re: [Samba] objectClass:posixAccount missing

[Luca Olivetti]

Al 27/08/13 23:02, En/na Rowland Penny ha escrit:

> If nslcd needs the posix objectclasses, then that is their bug, windows
> does not use them so Samba 4 doesn't either.

I wouldn't be so sure, since many (all?) of the attributes specified by
rfc2307 are not needed by windows but are there for compatibility with unix.
I don't know what a real windows server does, but it seems it can work
with nslcd, see, e.g., here

https://help.ubuntu.com/community/ADWin2k8KerberosLDAP

"This document has been tested on Windows Server 2008 and Ubuntu 10.04."

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Luca Olivetti]

Al 27/08/13 23:56, En/na Gary Greene ha escrit:

> If you set it up with '--use-rfc2307', nslcd needs configured as though it is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional classes to the AD member objects, even in an SFU environment.

Thank you, that gave me an hint: I added a

filter passwd (objectclass=user)

to /etc/nslcd.conf

and that gave me the missing users.
I suppose I should add also a

filter group (objectclass=group)

for groups.

Note that those filters are also, e.g. here
https://help.ubuntu.com/community/ADWin2k8KerberosLDAP

but I overlooked them.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Wed, 2013-08-28 at 00:30 +0200, Luca Olivetti wrote:
> Al 27/08/13 23:56, En/na Gary Greene ha escrit:
>
> > If you set it up with '--use-rfc2307', nslcd needs configured as though it is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional classes to the AD member objects, even in an SFU environment.
>
> Thank you, that gave me an hint: I added a
>
> filter passwd (objectclass=user)
>
> to /etc/nslcd.conf
>
> and that gave me the missing users.
> I suppose I should add also a
>
> filter group (objectclass=group)
>
> for groups.
>
> Note that those filters are also, e.g. here
> https://help.ubuntu.com/community/ADWin2k8KerberosLDAP
>
> but I overlooked them.

With recent versions of nslcd, neither of the filters are needed and
serve only to slow down lookups. All that is needed is:

uid nslcd
gid nslcd
uri ldap://your.f.q.d.n
base dc=foo,dc=bar
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI
sasl_realm SOME.REALM
krb5_ccname /tmp/nslcd.tkt

hth to speed things up a little.
Steve

[steve]

On Wed, 2013-08-28 at 00:06 +0200, Luca Olivetti wrote:
> Al 27/08/13 23:02, En/na Rowland Penny ha escrit:
>
> > If nslcd needs the posix objectclasses, then that is their bug, windows
> > does not use them so Samba 4 doesn't either.
>
> I wouldn't be so sure, since many (all?) of the attributes specified by
> rfc2307 are not needed by windows but are there for compatibility with unix.
> I don't know what a real windows server does, but it seems it can work
> with nslcd, see, e.g., here
>
> https://help.ubuntu.com/community/ADWin2k8KerberosLDAP
>
> "This document has been tested on Windows Server 2008 and Ubuntu 10.04."
>

2008 does not add the posixAccount not posixGroup classes. Samba4 uses
the same schema. You can add them if you wish but they will be ignored.
nslcd works with both 2008 and Samba4 with exactly the same nslcd.conf
but be sure to use version 0.8.10 or above which contains all the AD
stuff.
HTH
Steve

[Rowland Penny]

On 27/08/13 23:06, Luca Olivetti wrote:
> Al 27/08/13 23:02, En/na Rowland Penny ha escrit:
>
>> If nslcd needs the posix objectclasses, then that is their bug, windows
>> does not use them so Samba 4 doesn't either.
> I wouldn't be so sure, since many (all?) of the attributes specified by
> rfc2307 are not needed by windows but are there for compatibility with unix.
> I don't know what a real windows server does, but it seems it can work
> with nslcd, see, e.g., here
>
> https://help.ubuntu.com/community/ADWin2k8KerberosLDAP
>
> "This document has been tested on Windows Server 2008 and Ubuntu 10.04."
>
>
> Bye

If nslcd wants to work with AD, it has to play by AD rules, and AD does
not use the posix objectclasses. If you want proof of this, create a
user with samba-tool, go to a windows pc with ADUC and add the posix
attributes. Now go back to the samba4 AD DC and examine the users DN,
you will not find the posix objectclasses, but you will find uidNumber etc.

Rowland

[Luca Olivetti]

Al 28/08/13 09:58, En/na steve ha escrit:

>> filter passwd (objectclass=user)
>>
>> to /etc/nslcd.conf
>>
>> and that gave me the missing users.
>> I suppose I should add also a
>>
>> filter group (objectclass=group)

[...]

> With recent versions of nslcd, neither of the filters are needed and
> serve only to slow down lookups. All that is needed is:

0.8.12 is not recent enough and those filters are needed.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Wed, 2013-08-28 at 13:17 +0200, Luca Olivetti wrote:
> Al 28/08/13 09:58, En/na steve ha escrit:
> >> filter passwd (objectclass=user)
> >>
> >> to /etc/nslcd.conf
> >>
> >> and that gave me the missing users.
> >> I suppose I should add also a
> >>
> >> filter group (objectclass=group)
>
> [...]
>
> > With recent versions of nslcd, neither of the filters are needed and
> > serve only to slow down lookups. All that is needed is:
>
> 0.8.12 is not recent enough and those filters are needed.

I'll try 0.8.12 later but I doubt it will have changed:
- - -
hh16:/home/steve # samba --version
Version 4.2.0pre1-GIT-617c647

hh16:/home/steve # nslcd --version
nss-pam-ldapd 0.8.10

uid nslcd-user
gid nslcd-user
uri ldap://hh3.site
base dc=hh3,dc=site

map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI

sasl_realm HH3.SITE
krb5_ccname /tmp/nslcd.tkt

hh16:/home/steve # k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K
360 -k /tmp/nslcd.tkt &

hh16:/home/steve # getent passwd
...
steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash
steve3:*:3000022:20513:steve3:/home/users/steve3:/bin/bash
...
- - -
Cheers,
Steve

[Luca Olivetti]

Al 28/08/13 13:43, En/na steve ha escrit:

>>
>> 0.8.12 is not recent enough and those filters are needed.
>
> I'll try 0.8.12 later but I doubt it will have changed:

I have 0.8.12

$ rpm -q nss-pam-ldapd
nss-pam-ldapd-0.8.12-3.mga3

With the filter (aimaretti is a migrated user, pruebaunix is a new user)

$ id aimaretti
uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
Users),675(intranet),676(portal),507(devel)
$ id pruebaunix
uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain
Users),496(vcsa),675(intranet)


Without the filter


$ id aimaretti
uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
Users),675(intranet),676(portal),507(devel)
$ id pruebaunix
id: pruebaunix: l’usuari no existeix
$ LC_ALL=en id pruebaunix
id: pruebaunix: no such user

Do you think it's because I have specified a binddn and a bindpw?

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote:

>
>
> Without the filter
>
>
> $ id aimaretti
> uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
> Users),675(intranet),676(portal),507(devel)
> $ id pruebaunix
> id: pruebaunix: l’usuari no existeix
> $ LC_ALL=en id pruebaunix
> id: pruebaunix: no such user

Hi
OK then, so just compare the DN of aimaretti with that of pruebauinx.

Post them here if you like:

ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti
and
ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix

Cheers,
Steve

[Luca Olivetti]

Al 28/08/13 19:30, En/na steve ha escrit:

> On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote:
>
>>
>>
>> Without the filter
>>
>>
>> $ id aimaretti
>> uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
>> Users),675(intranet),676(portal),507(devel)
>> $ id pruebaunix
>> id: pruebaunix: l’usuari no existeix
>> $ LC_ALL=en id pruebaunix
>> id: pruebaunix: no such user
>
> Hi
> OK then, so just compare the DN of aimaretti with that of pruebauinx.
>
> Post them here if you like:

OK, but just to avoid you the hassle to compare the two, here is a
summary of the differences:

* pruebaunix is missing the posixAccount objectClass, the description
and homeDrive (though I don't think the last two are what's causing the
problem and the missing posixAccount is normal AD behavior)

* pruebaunix has the following fields not present in aimaretti:
-givenName
-msSFU3OName
-sn
-uid
-unixUserPassword
-userPrincipalName

>
> ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti

# record 1
dn: CN=aimaretti,CN=Users,DC=wetron,DC=es
cn: aimaretti
instanceType: 4
whenCreated: 20130816222436.0Z
whenChanged: 20130816222436.0Z
uSNCreated: 5300
name: aimaretti
objectGUID: cf69597e-c29e-4734-8fee-0c5f261593b9
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1375475485-2168029398-3937786652-3468
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: aimaretti
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es
pwdLastSet: 129115956830000000
displayName: Alberto Aimaretti
homeDrive: U:
logonHours:: ////////////////////////////
userAccountControl: 512
description: Usuario Wetron
uidNumber: 1234
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/aimaretti
loginShell: /bin/false
gidNumber: 513
msSFU30NisDomain: wetron
uSNChanged: 5304
memberOf: CN=devel,CN=Users,DC=wetron,DC=es
memberOf: CN=intranet,CN=Users,DC=wetron,DC=es
memberOf: CN=portal,CN=Users,DC=wetron,DC=es
distinguishedName: CN=aimaretti,CN=Users,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es

# returned 4 records
# 1 entries
# 3 referrals

> and
> ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix

# Referral
ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es

# returned 3 records
# 0 entries
# 3 referrals

(oops, I forgot that this user has a space in the cn, and, no, that's
not the problem, I have other users without a space in the cn, don't
mind the OU, it was an unrelated test, other users under CN=Users work
the same)

$ sudo /usr/local/samba/bin/ldbsearch
--url=/usr/local/samba/private/sam.ldb cn="prueba unix"
# record 1
dn: CN=prueba unix,OU=kk,DC=wetron,DC=es
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: prueba unix
sn: unix
givenName: prueba
instanceType: 4
whenCreated: 20130827101804.0Z
uSNCreated: 7219
name: prueba unix
objectGUID: deb50617-08a6-4c98-8d81-73c0134514ee
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1375475485-2168029398-3937786652-4011
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: pruebaunix
sAMAccountType: 805306368
userPrincipalName: prueb...@wetron.es
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es
pwdLastSet: 130220722840000000
userAccountControl: 512
msSFU30Name: pruebaunix
unixUserPassword: ABCD!efgh12345$67890
uid: pruebaunix
msSFU30NisDomain: wetron
loginShell: /bin/sh
unixHomeDirectory: /home/pruebaunix
uidNumber: 10069
displayName: pruebaunix
gidNumber: 513
memberOf: CN=intranet,CN=Users,DC=wetron,DC=es
memberOf: CN=brmuestra,CN=Users,DC=wetron,DC=es
whenChanged: 20130828004001.0Z
uSNChanged: 7249
distinguishedName: CN=prueba unix,OU=kk,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es

# Referral
ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es

# returned 4 records
# 1 entries
# 3 referrals

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Luca Olivetti]

Al 28/08/13 20:11, En/na steve ha escrit:

> Hi
> Without objectClass: posixAccount
> you need the filter for nslcd.
>
> IOW, for AD, you either must add it yourself or use the nslcd filter.
>
> Windows does not need the objectClass. nslcd does unless you want to
> filter everything.

Thank you, I though that was the case.
It's something that Marc will have to specify in the howto.

[steve]

On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote:

> Al 28/08/13 13:43, En/na steve ha escrit:
>
> >>
> >> 0.8.12 is not recent enough and those filters are needed.
> >
> > I'll try 0.8.12 later but I doubt it will have changed:
>
> I have 0.8.12
>
> $ rpm -q nss-pam-ldapd
> nss-pam-ldapd-0.8.12-3.mga3
>
> With the filter (aimaretti is a migrated user, pruebaunix is a new user)
>
> $ id aimaretti
> uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
> Users),675(intranet),676(portal),507(devel)
> $ id pruebaunix
> uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain
> Users),496(vcsa),675(intranet)
>
>
> Without the filter
>
>
> $ id aimaretti
> uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain
> Users),675(intranet),676(portal),507(devel)
> $ id pruebaunix
> id: pruebaunix: l’usuari no existeix
> $ LC_ALL=en id pruebaunix
> id: pruebaunix: no such user
>
> Do you think it's because I have specified a binddn and a bindpw?

Hi

Without objectClass: posixAccount
you need the filter for nslcd.

IOW, for AD, you either must add it yourself or use the nslcd filter.

Windows does not need the objectClass. nslcd does unless you want to
filter everything.

HTH
Steve

[steve]

On Wed, 2013-08-28 at 20:18 +0200, Luca Olivetti wrote:
> Al 28/08/13 20:11, En/na steve ha escrit:
>
> > Hi
> > Without objectClass: posixAccount
> > you need the filter for nslcd.
> >
> > IOW, for AD, you either must add it yourself or use the nslcd filter.
> >
> > Windows does not need the objectClass. nslcd does unless you want to
> > filter everything.
>
> Thank you, I though that was the case.
> It's something that Marc will have to specify in the howto.

Hi
Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
only way to go for nss on Samba4 or any m$ server.
Just my €0.02

[Luca Olivetti]

Al 28/08/13 23:09, En/na steve ha escrit:

> Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
> only way to go for nss on Samba4 or any m$ server.
> Just my €0.02

I'll try it. I only used nslcd because that's what was suggested in the
samba wiki.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Marc Muehlfeld]

Am 29.08.2013 00:10, schrieb Luca Olivetti:
>> Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
>> only way to go for nss on Samba4 or any m$ server.
>> Just my €0.02
>
> I'll try it. I only used nslcd because that's what was suggested in the
> samba wiki.

The Winbind and sssd Howto isn't finished yet. Currently I don't have to
much time, but I'm working on. :-)

Regards,
Marc

[Luca Olivetti]

Al 29/08/13 01:30, En/na Marc Muehlfeld ha escrit:

> Am 29.08.2013 00:10, schrieb Luca Olivetti:
>>> Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
>>> only way to go for nss on Samba4 or any m$ server.
>>> Just my €0.02
>>
>> I'll try it. I only used nslcd because that's what was suggested in the
>> samba wiki.
>
> The Winbind and sssd Howto isn't finished yet. Currently I don't have to
> much time, but I'm working on. :-)

Don't worry, given that samba4 should work as a windows server, there
are many tutorials that explain how to configure sssd against active
directory (though my attempts so fare have been unsuccessful).

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Thu, 2013-08-29 at 01:30 +0200, Marc Muehlfeld wrote:
> Am 29.08.2013 00:10, schrieb Luca Olivetti:
> >> Yeah, nslcd works well, but for AD funcionality and speed, sssd is the
> >> only way to go for nss on Samba4 or any m$ server.
> >> Just my €0.02
> >
> > I'll try it. I only used nslcd because that's what was suggested in the
> > samba wiki.
>
> The Winbind and sssd Howto isn't finished yet. Currently I don't have to
> much time, but I'm working on. :-)

We have sssd covered here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html

sssd 1.11.1 was released today. I'll report back:)

HTH
Steve

[Luca Olivetti]

Al 29/08/13 12:06, En/na steve ha escrit:

> We have sssd covered here:
> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html

Well, that's doesn't seem to be complete (at least to a kerberos newbie
like me).

For example, it's missing the step to create /etc/krb5.keytab
I used

/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab
--principal=HP$

but then sssd complains that

[[sssd[ldap_child[2300]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [HP$@WETRON.ES]
[[sssd[ldap_child[2300]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [/etc/krb5.keytab]
[[sssd[ldap_child[2300]]]] [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[2300]]]] [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[2300]]]] [main] (0x0400): ldap_child completed
successfully
[sssd[be[default]]] [read_pipe_handler] (0x0400): EOF received, client
finished
[sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377842615]
[sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech:
gssapi, user: HP$
[sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[default]]] [sasl_bind_send] (0x0080): Extended failure message:
[SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server not found in Kerberos
database)]


BTW, installing sssd from rpm (mageia 3, which provides 1.9.4) causes
locally built samba to not start anymore (since there is some
conflicting library and samba will use the "bad" library in /usr/lib64
instead of the one under /usr/local/samba), so, in my specific case, I
cannot really say 'you'll not believe how simple this is' ;-)

nslcd seems simpler (at least I got it working)

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

Oooof. ¡Doloroso!
Marc's howto will be here soon:)

[Rowland Penny]

Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator'

Rowland

[Luca Olivetti]

Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
> Al 29/08/13 21:02, En/na Rowland Penny ha escrit:

>
>> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
>> Administrator'
>

> Thank you, that worked *but* we're back to square one: migrated users
> (with the posixAccount class) show up but new users don't.

Oops, sorry, actually it didn't work, I forgot that in the meantime I
changed nsswitch.conf to use ldap instead of nss :-(

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Luca Olivetti]

Al 29/08/13 21:02, En/na Rowland Penny ha escrit:

> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
> Administrator'

Thank you, that worked *but* we're back to square one: migrated users
(with the posixAccount class) show up but new users don't.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Rowland Penny]

On 29/08/13 20:17, Luca Olivetti wrote:
> Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
>> Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
>>
>>> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
>>> Administrator'
>> Thank you, that worked *but* we're back to square one: migrated users
>> (with the posixAccount class) show up but new users don't.
> Oops, sorry, actually it didn't work, I forgot that in the meantime I
> changed nsswitch.conf to use ldap instead of nss :-(
>
> Bye

Sorry but I am losing the plot here a bit, I thought because you wanted
the keytab, you were now trying to get sssd to work.

Rowland

[Rowland Penny]

On 29/08/13 20:41, Luca Olivetti wrote:
> Al 29/08/13 21:20, En/na Rowland Penny ha escrit:

>> On 29/08/13 20:17, Luca Olivetti wrote:
>>> Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
>>>> Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
>>>>
>>>>> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
>>>>> Administrator'
>>>> Thank you, that worked *but* we're back to square one: migrated users
>>>> (with the posixAccount class) show up but new users don't.
>>> Oops, sorry, actually it didn't work, I forgot that in the meantime I
>>> changed nsswitch.conf to use ldap instead of nss :-(
>>>
>>> Bye
>> Sorry but I am losing the plot here a bit, I thought because you wanted
>> the keytab, you were now trying to get sssd to work.

> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
> to ldap, so I thought your suggestion was working while it actually
> wasn't (same error with Administrator as with HP$).
>
> Bye
Hi, I am replying to you on list, could you please post your sssd.conf
and what version of sssd you are using, also what is your OS

[Luca Olivetti]

Al 29/08/13 21:54, En/na Rowland Penny ha escrit:

>> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
>> to ldap, so I thought your suggestion was working while it actually
>> wasn't (same error with Administrator as with HP$).
>>
>> Bye
> Hi, I am replying to you on list, could you please post your sssd.conf
> and what version of sssd you are using, also what is your OS

OK, now I got sssd working *but* without kerberos.
The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the
one posted by steve
(http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html)
modified for my domain and with kerberos options commented out of the way:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
ldap_schema = rfc2307bis
access_provider = simple
enumerate = FALSE
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
#krb5_realm = WETRON.ES
#krb5_server = hp.wetron.es
#krb5_kpasswd = hp.wetron.es
ldap_referrals = false
ldap_uri = ldap://localhost/
ldap_search_base = dc=wetron,dc=es
#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=wetron,dc=es
ldap_group_name = cn
ldap_group_member = member
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
#dap_sasl_mech = gssapi
#ldap_sasl_authid = nslcd-connect
##for the client use:
## ldap_sasl_authid=ALGORFA$
#ldap_krb5_keytab = /etc/krb5.sssd.keytab
#ldap_krb5_init_creds = true
ldap_id_use_start_tls = false
ldap_default_bind_dn = cn=nslcd-connect,cn=Users,dc=wetron,dc=es
ldap_default_authtok_type = password
ldap_default_authtok = -------

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote:
> Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
>
> >> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
> >> to ldap, so I thought your suggestion was working while it actually
> >> wasn't (same error with Administrator as with HP$).
> >>
> >> Bye
> > Hi, I am replying to you on list, could you please post your sssd.conf
> > and what version of sssd you are using, also what is your OS
>
> OK, now I got sssd working *but* without kerberos.

Hi
I'm not sure what you want. Is this now EOT or do you want to go on and
debug to get gssapi?

If you wish to go on:
samba-tool domain exportkeytab /etc/krb5.sssd.keytab
--principal=nslcd-connect
(You may already have this from your nslcd config)
Kill all nslcd processes.

ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-connect
ldap_krb5_keytab = /etc/krb5.sssd.keytab

To get full benefit from sssd I'd recommend the latest version which has
a proper AD backend. e.g. sssd version 1.11.1 gives you id and getent
without requiring the posixAccount objectClass.

1.11.1 is available here:
https://fedorahosted.org/released/sssd/sssd-1.11.0.tar.gz

Salu2 y suerte,
Steve

[Rowland Penny]

OK, try this sssd.conf that I have altered for your setup, it is based
on the sssd.conf on the machine that I am typing this on and it works,
you just need the krb5.keytab that I told you how to create earlier.

[sssd]
config_file_version = 2
domains = wetron.es
services = nss, pam

[nss]

[pam]

[domain/wetron.es]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

krb5_server = hp.wetron.es
krb5_kpasswd = hp.wetron.es
krb5_realm = WETRON.ES

ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = sAMAccountName


Rowland

[Luca Olivetti]

Al 30/08/13 10:11, En/na steve ha escrit:

> On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote:
>> Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
>>
>>>> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
>>>> to ldap, so I thought your suggestion was working while it actually
>>>> wasn't (same error with Administrator as with HP$).
>>>>
>>>> Bye
>>> Hi, I am replying to you on list, could you please post your sssd.conf
>>> and what version of sssd you are using, also what is your OS
>>
>> OK, now I got sssd working *but* without kerberos.
>
> Hi
> I'm not sure what you want. Is this now EOT or do you want to go on and
> debug to get gssapi?

Well, I'd like to get gssapi working

>
> If you wish to go on:
> samba-tool domain exportkeytab /etc/krb5.sssd.keytab
> --principal=nslcd-connect
> (You may already have this from your nslcd config)

done

> Kill all nslcd processes.

done

>
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = nslcd-connect
> ldap_krb5_keytab = /etc/krb5.sssd.keytab

done, but when I try, say, "id oscar"

[sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(samAccountName=oscar)(objectclass=user))][dc=wetron,dc=es].
[sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result:
Operations error(1), 00002020: Operation unavailable without authentication
[sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected
result from ldap: Operations error(1), 00002020: Operation unavailable
without authentication
[sssd[be[default]]] [sdap_get_generic_done] (0x0100):
sdap_get_generic_ext_recv failed [5]: Error d’Entrada/Sortida

> To get full benefit from sssd I'd recommend the latest version which has
> a proper AD backend. e.g. sssd version 1.11.1 gives you id and getent
> without requiring the posixAccount objectClass.

I don't need it even with the version I have.

Thank you

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Luca Olivetti]

Al 30/08/13 11:41, En/na Rowland Penny ha escrit:

> OK, try this sssd.conf that I have altered for your setup, it is based
> on the sssd.conf on the machine that I am typing this on and it works,
> you just need the krb5.keytab that I told you how to create earlier.

That was

/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator

yes?

[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
trying to select the most appropriate principal from keytab
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching template....@WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching TEMPLATE$@WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching host/template....@WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
Selected principal: dept-66f575a885$@WETRON.ES
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [dept-66f575a885$@WETRON.ES]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [default]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
response for result [0]
[[sssd[ldap_child[8011]]]] [main] (0x0400): ldap_child completed
successfully
[sssd[be[wetron.es]]] [read_pipe_handler] (0x0400): EOF received, client
finished
[sssd[be[wetron.es]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0
[FILE:/var/lib/sss/db/ccache_WETRON.ES], expired on [1377878906]
[sssd[be[wetron.es]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
mech: GSSAPI, user: (null)
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure

message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in
Kerberos database)]

Note that I get the last error even if I add

ldap_sasl_authid = Administrator

in sssd.conf

(Of course in that case I don't get the "No principal matching..."
messages but the outcome is the same).

I suppose there is some additional step to perform (apart from
extracting the keytab).

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Rowland Penny]

On 30/08/13 15:48, Luca Olivetti wrote:
> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>
>> OK, try this sssd.conf that I have altered for your setup, it is based
>> on the sssd.conf on the machine that I am typing this on and it works,
>> you just need the krb5.keytab that I told you how to create earlier.
> That was
>
> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> Administrator
>
> yes?

Correct, though I do not understand why you are using the full path to
samba-tool

Where did you get samba4 from, did you compile it yourself? what
version? what OS are you using, if you did compile it yourself, what
packages did you install before compiling.

> Note that I get the last error even if I add
>
> ldap_sasl_authid = Administrator
>
> in sssd.conf

The sssd.conf I supplied is a known working one, all I changed is the
domain name and server address from mine.

> (Of course in that case I don't get the "No principal matching..."
> messages but the outcome is the same).
>
> I suppose there is some additional step to perform (apart from
> extracting the keytab).
>
>
> Bye

You could try stopping sssd and then remove the sssd databases: rm -f
/var/lib/sss/db/* (this is on Ubuntu)

All I do is:
Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator
Install sssd sssd-tools via package manager
alter /etc/sssd/sssd.conf as per the one I supplied
remove the sssd databases
start sssd

It should now work, provided that the uidNumber, gidNumber, etc are in
each users DN, you do not need the posix objectClasses.

Rowland

[steve]

On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
> On 30/08/13 15:48, Luca Olivetti wrote:
> > Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
> >
> >> OK, try this sssd.conf that I have altered for your setup, it is based
> >> on the sssd.conf on the machine that I am typing this on and it works,
> >> you just need the krb5.keytab that I told you how to create earlier.
> > That was
> >
> > /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> > Administrator
> >
>

Hi
This command dumps the _whole_ of the database to the keytab, so you
must choose which key you are going to use for:
ldap_sasl_authid

If you really do need al the keys there then could you send us a
santised dump of the keytab so we can decide a good key to use? And more
importantly one which is definitely present?

klist -k /etc/krb5.keytab

It is generally recommended to only dump the keys you need.

Have you dumped the Administrator key to the keytab? If it isn't in the
keytab it's not going to find a match either. Why not simply choose
something which you _do_ have?

ldap_sasl_mech = gssapi
ldap_sasl_authid = something.you.do.have.in.the.keytab
ldap_krb5_keytab = /etc/krb5.keytab

HTH to get us closer.
Cheers,
Steve

[Luca Olivetti]

Al 30/08/13 17:05, En/na Rowland Penny ha escrit:

> Correct, though I do not understand why you are using the full path to
> samba-tool

Because it's not in PATH

> Where did you get samba4 from, did you compile it yourself?

Yes

> what
> version?

4.0.8 (4.0.9 wasn't yet available when I started the experiment)

> what OS are you using, if you did compile it yourself, what
> packages did you install before compiling.

I'm using linux, mageia 3, I installed every -devel package providing
the .h files I saw in ./configure output (minus libldb since the
packaged one is not compatible with samba 4 and would produce a non
working samba)

> You could try stopping sssd and then remove the sssd databases: rm -f
> /var/lib/sss/db/* (this is on Ubuntu)

Already done

>
> All I do is:
> Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U
> Administrator

Done

> Install sssd sssd-tools via package manager

Done (well, I actually I didn't install sssd-tools, but I did now and it
changed nothing).

> alter /etc/sssd/sssd.conf as per the one I supplied
> remove the sssd databases
> start sssd

Done

Maybe one of the post-install script in one of the ubuntu packages
performs automatically one of the missing steps?

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Rowland Penny]

On 30/08/13 17:15, steve wrote:
> On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
>> On 30/08/13 15:48, Luca Olivetti wrote:
>>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>>>
>>>> OK, try this sssd.conf that I have altered for your setup, it is based
>>>> on the sssd.conf on the machine that I am typing this on and it works,
>>>> you just need the krb5.keytab that I told you how to create earlier.
>>> That was
>>>
>>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
>>> Administrator
>>>
> Hi
> This command dumps the _whole_ of the database to the keytab, so you
> must choose which key you are going to use for:
> ldap_sasl_authid
>
> If you really do need al the keys there then could you send us a
> santised dump of the keytab so we can decide a good key to use? And more
> importantly one which is definitely present?
>
> klist -k /etc/krb5.keytab
>
> It is generally recommended to only dump the keys you need.

Hi Steve, lets just get something to work for the OP first.

[Luca Olivetti]

Al 30/08/13 18:15, En/na steve ha escrit:

> On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
>> On 30/08/13 15:48, Luca Olivetti wrote:
>>> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>>>
>>>> OK, try this sssd.conf that I have altered for your setup, it is based
>>>> on the sssd.conf on the machine that I am typing this on and it works,
>>>> you just need the krb5.keytab that I told you how to create earlier.
>>> That was
>>>
>>> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
>>> Administrator
>>>
>>
>
> Hi
> This command dumps the _whole_ of the database to the keytab, so you
> must choose which key you are going to use for:
> ldap_sasl_authid

Oops, I was just following instructions :-/
I promise that, when everything is working, I'll read all the relevant
manpages (I usually do it _before_ blindly typing what's been suggested,
but...)
;-)

>
> If you really do need al the keys there then could you send us a
> santised dump of the keytab so we can decide a good key to use? And more
> importantly one which is definitely present?
>
> klist -k /etc/krb5.keytab
>
> It is generally recommended to only dump the keys you need.

Which it does with the --principal option, yes?
(but, as I just learned, each command *adds* to the keytab, so I have to
delete the file first).
BTW, if I use --principal=nslcd-connect it is listed 3 times:

# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 nslcd-...@WETRON.ES
1 nslcd-...@WETRON.ES
1 nslcd-...@WETRON.ES

>
> Have you dumped the Administrator key to the keytab? If it isn't in the
> keytab it's not going to find a match either. Why not simply choose
> something which you _do_ have?
>
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = something.you.do.have.in.the.keytab
> ldap_krb5_keytab = /etc/krb5.keytab

Again, I was following suggestions, anyway, both with -U and with
--principal=nslcd-connect I was using an ldap_sasl_authid that was in
the keytab (as per keytab -k), but the error is the same:

[sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind

mech: GSSAPI, user: nslcd-connect
[sssd[nss]] [client_recv] (0x0200): Client disconnected!

[sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
(-2)[Local error]
[sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in
Kerberos database)]

> HTH to get us closer.

I cannot thank you enough, but I feel I'm not getting any closer :-(

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Fri, 2013-08-30 at 17:45 +0100, Rowland Penny wrote:


> Hi Steve, lets just get something to work for the OP first.

Agreed.

It seems we now at least have a keytab that we can use for certain. Pls
see my interim post.

[steve]

Fine. We can now say that nscld is both in the keytab and in the databas
on the DC (otherwise it wouldn't have dumped the key there)
You have 3 entries corresponding to different encryption types. Use:
klist -ke
to see which they are. You don't need to know though.

> >
> > Have you dumped the Administrator key to the keytab? If it isn't in the
> > keytab it's not going to find a match either. Why not simply choose
> > something which you _do_ have?
> >
> > ldap_sasl_mech = gssapi
> > ldap_sasl_authid = something.you.do.have.in.the.keytab
> > ldap_krb5_keytab = /etc/krb5.keytab
>
> Again, I was following suggestions, anyway, both with -U and with
> --principal=nslcd-connect I was using an ldap_sasl_authid that was in
> the keytab (as per keytab -k), but the error is the same:
>
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0100): Executing sasl bind
> mech: GSSAPI, user: nslcd-connect
> [sssd[nss]] [client_recv] (0x0200): Client disconnected!
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed
> (-2)[Local error]
> [sssd[be[wetron.es]]] [sasl_bind_send] (0x0080): Extended failure
> message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Server not found in
> Kerberos database)]
>
>
> > HTH to get us closer.
>
> I cannot thank you enough, but I feel I'm not getting any closer :-(

Bueno, a ver:
We can say for certain that /etc/krb5.keytab contains the key for
nslcd-connect
make sure you have:

ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-...@WETRON.ES
ldap_krb5_keytab = /etc/krb5.keytab

(note, I think you had a different keytab in an older post. Lose it.)

Next, can you resolve the kerberos SRV record:
host -t SRV _kerberos._udp.dc1.wetron.es.

What do you have for /etc/krb5.conf

What does:
sssd --version
give?

Cheers,
Steve

[Rowland Penny]

On 30/08/13 17:26, Luca Olivetti wrote:
> Al 30/08/13 17:05, En/na Rowland Penny ha escrit:
>
>> Correct, though I do not understand why you are using the full path to
>> samba-tool
> Because it's not in PATH

Then you need to alter your PATH environmental variable, I do this on
Ubuntu:

echo "PATH=/usr/local/samba/bin:/usr/local/samba/sbin:\$PATH" >
/etc/profile.d/samba4.sh
export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH

>
>> Where did you get samba4 from, did you compile it yourself?
> Yes
>
>> what
>> version?
> 4.0.8 (4.0.9 wasn't yet available when I started the experiment)
>
>> what OS are you using, if you did compile it yourself, what
>> packages did you install before compiling.
> I'm using linux, mageia 3, I installed every -devel package providing
> the .h files I saw in ./configure output (minus libldb since the
> packaged one is not compatible with samba 4 and would produce a non
> working samba)

Then the package names needed to compile samba are probably the same as
RHEL:

gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server libaio-devel \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils

The above was taken from:
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS

Check that you have all the above installed and if not, install what
ever is missing and recompile samba 4
Also, it may help if you try another OS, no disrespect, but Mageia is
not really what I would call a server distro and is probably not used by
many people to run samba 4 on, so you will struggle to get precise help
here (ducks as thousands of people reply saying I use Mageia ;-) )

Rowland

>
>> You could try stopping sssd and then remove the sssd databases: rm -f
>> /var/lib/sss/db/* (this is on Ubuntu)
> Already done
>
>> All I do is:
>> Export keytab: samba-tool domain exportkeytab /etc/krb5.keytab -U
>> Administrator
> Done
>
>> Install sssd sssd-tools via package manager
> Done (well, I actually I didn't install sssd-tools, but I did now and it
> changed nothing).
>
>
>> alter /etc/sssd/sssd.conf as per the one I supplied
>> remove the sssd databases
>> start sssd
> Done
>
> Maybe one of the post-install script in one of the ubuntu packages
> performs automatically one of the missing steps?
>
> Bye

--

[Luca Olivetti]

Al 30/08/13 18:54, En/na steve ha escrit:

> Bueno, a ver:
> We can say for certain that /etc/krb5.keytab contains the key for
> nslcd-connect
> make sure you have:
>
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = nslcd-...@WETRON.ES
> ldap_krb5_keytab = /etc/krb5.keytab
>
> (note, I think you had a different keytab in an older post. Lose it.)

Done

>
> Next, can you resolve the kerberos SRV record:
> host -t SRV _kerberos._udp.dc1.wetron.es.

It doesn't resolve, but _kerberos._udp.wetron.es. does

_kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es.

>
> What do you have for /etc/krb5.conf

[libdefaults]
default_realm = WETRON.ES
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
WETRON.ES = {
kdc = 192.168.4.101
admin_server = 192.168.4.101

}


>
> What does:
> sssd --version
> give?

1.9.4

In case it matters, sasl is 2.1.25, and I have the relevant plugins
installed:

# rpm -qa *sasl*
lib64sasl2-plug-sasldb-2.1.25-12.mga3
lib64sasl2-2.1.25-12.mga3
cyrus-sasl-2.1.25-12.mga3
lib64sasl2-plug-login-2.1.25-12.mga3
lib64sasl2-plug-plain-2.1.25-12.mga3
lib64sasl2-plug-ldapdb-2.1.25-12.mga3
lib64sasl2-plug-gssapi-2.1.25-12.mga3
lib64sasl2-devel-2.1.25-12.mga3

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Luca Olivetti]

Al 30/08/13 19:00, En/na Rowland Penny ha escrit:

>
> The above was taken from:
> https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS

Yes, I read the wiki before starting, I have all the dependencies installed

>
> Check that you have all the above installed and if not, install what
> ever is missing and recompile samba 4
> Also, it may help if you try another OS, no disrespect, but Mageia is
> not really what I would call a server distro and is probably not used by
> many people to run samba 4 on, so you will struggle to get precise help
> here (ducks as thousands of people reply saying I use Mageia ;-) )

Thank you, but I will do with generic help, I can perform the necessary
"translations". I tried other distributions and I found them lacking
(probably because I'm just used to mageia), usually the server packages
in mageia (and mandriva before it) have been top notch, samba 4 is not
packaged (yet) but it will be soon.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Fri, 2013-08-30 at 19:21 +0200, Luca Olivetti wrote:
> Al 30/08/13 18:54, En/na steve ha escrit:
>
> > Bueno, a ver:
> > We can say for certain that /etc/krb5.keytab contains the key for
> > nslcd-connect
> > make sure you have:
> >
> > ldap_sasl_mech = gssapi
> > ldap_sasl_authid = nslcd-...@WETRON.ES
> > ldap_krb5_keytab = /etc/krb5.keytab
> >
> > (note, I think you had a different keytab in an older post. Lose it.)
>
> Done
>
> >
> > Next, can you resolve the kerberos SRV record:
> > host -t SRV _kerberos._udp.dc1.wetron.es.
>
> It doesn't resolve, but _kerberos._udp.wetron.es. does
>
> _kerberos._udp.wetron.es has SRV record 0 100 88 hp.wetron.es.
>
>

That's good. Sorry, I didn't know your domain or hostnames

> >
> > What do you have for /etc/krb5.conf
>
> [libdefaults]
> default_realm = WETRON.ES
> dns_lookup_realm = true
> dns_lookup_kdc = true

Remove the [realms] section and change:
dns_lookup_realm = false

(I'm assuming that this is a single DC)

I also have:
cyrus-sasl-32bit

Now go through everything in the thread, clear everything
in /var/lib/sss/db/* and restart sssd. Make sure that nscd is not
running.
HTH
Steve

[steve]

On Fri, 2013-08-30 at 19:30 +0200, Luca Olivetti wrote:
> Al 30/08/13 19:00, En/na Rowland Penny ha escrit:
>
> >
> > The above was taken from:
> > https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS
>
> Yes, I read the wiki before starting, I have all the dependencies installed
>
> >
> > Check that you have all the above installed and if not, install what
> > ever is missing and recompile samba 4
> > Also, it may help if you try another OS, no disrespect, but Mageia is
> > not really what I would call a server distro and is probably not used by
> > many people to run samba 4 on, so you will struggle to get precise help
> > here (ducks as thousands of people reply saying I use Mageia ;-) )
>
> Thank you, but I will do with generic help, I can perform the necessary
> "translations". I tried other distributions and I found them lacking
> (probably because I'm just used to mageia), usually the server packages
> in mageia (and mandriva before it) have been top notch, samba 4 is not
> packaged (yet) but it will be soon.

Just thinking out loud but there have been problems with nslcd and I
think winbind too before this. I don't know if this be possible and I
know that the devs would frown upon it, but maybe we've reached the time
for a rebuild over bare metal. Rowlands suggestion of a recompile gets a
+1 from me.
Cheers,
Steve

[Rowland Penny]

Hi, How about this for an idea, get the OP to create a VM on Mageia,
install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the
VM. Then setup winbind or nslcd or sssd on it, once this is working the
OP can work out to get the setup to run on Mageia himself.

RFowlanf

[steve]

Yep. +1 for the Ubuntu vm. We go for a git master because you can add
rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a
single user. getent passwd user returns his rfc2307 from the directory.
Any takers?
Steve

[Rowland Penny]

Hi Steve, the idea was for the OP to create the VM and we could talk him
through setting up samba 4 on it.
I think that he may just be the only person in the world that is trying
to use Mageia for samba 4, so we need to show him how to setup samba 4
on a main stream distro, this should then help him to work out where he
is going wrong with his setup.

Rowland

[Luca Olivetti]

Al 30/08/13 19:43, En/na steve ha escrit:

> Now go through everything in the thread, clear everything
> in /var/lib/sss/db/* and restart sssd. Make sure that nscd is not
> running.

Casi, casi...

OK, I found the problem of the "server not found in kerberos database"
(well, actually it was google that found it):

http://technet.microsoft.com/en-us/library/bb463167.aspx

It turns out that the hostname didn't match the netbios name.
I changed the hostname to match and automagically that error
disappeared. I have a more serious problem now, hinting that maybe I
need to recompile sasl, i.e. I have a segfault (actually many) in it:


sssd_be[1795]: segfault at 0 ip 00007f326fd66f7d sp 00007fff2bd7afd0
error 6 in libgssapiv2.so[7f326fd64000+7000]

I'll keep trying

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Matthew Daubenspeck]

On Fri, Aug 30, 2013 at 08:14:56PM +0200, steve wrote:
> > Hi, How about this for an idea, get the OP to create a VM on Mageia,
> > install Ubuntu 12.04 or Centos 6.4 in it and then compile samba 4 on the
> > VM. Then setup winbind or nslcd or sssd on it, once this is working the
> > OP can work out to get the setup to run on Mageia himself.
> >
> > RFowlanf
>
> Yep. +1 for the Ubuntu vm. We go for a git master because you can add
> rfc2307 via samba-tool. Aim: To produce a Samba4 stand alone DC with a
> single user. getent passwd user returns his rfc2307 from the directory.
> Any takers?

This is what my test setup is running now, however, it's using the
Sernet packages, not source.

[steve]

On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
>
> Casi, casi...

Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
AD.
Saludos,
Steve

[steve]

Yep. Let me know if I can help.
Cheers,
Steve

[Luca Olivetti]

Al 30/08/13 21:49, En/na steve ha escrit:

> On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
>>
>> Casi, casi...
>
> Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
> AD.
> Saludos,

Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25

(for the non Spanish speaking audience: it seems that cyrus-sasl-2.1.25
has a problem in gssapi.c causing a segfault)

http://www.spinics.net/lists/cyrus-sasl/msg02004.html

I'll try to build a version with the fix

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Fri, 2013-08-30 at 21:53 +0200, Luca Olivetti wrote:

>
> http://www.spinics.net/lists/cyrus-sasl/msg02004.html
>
> I'll try to build a version with the fix
>

Suerte. Good luck.
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz

[Rowland Penny]

On 30/08/13 21:10, Luca Olivetti wrote:
> Al 30/08/13 21:53, En/na Luca Olivetti ha escrit:

>> Al 30/08/13 21:49, En/na steve ha escrit:
>>> On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
>>>> Casi, casi...
>>> Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
>>> AD.
>>> Saludos,
>> Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25
>>
>> (for the non Spanish speaking audience: it seems that cyrus-sasl-2.1.25
>> has a problem in gssapi.c causing a segfault)
>>
>> http://www.spinics.net/lists/cyrus-sasl/msg02004.html
>>
>> I'll try to build a version with the fix

> Did it an it worked.
>
> Lessons learned:
>
> - make sure that the hostname is the same as the netbios name (or is
> there a parameter to make it work when they are different?)
>
> - don't listen to people suggesting to switch distributions (I know how
> to debug/build things with mageia, I wouldn't know where to start with
> another one)
The reason why I suggested that you try another distro is that, as far
as I can see, nobody else uses Mageia on this list, at least nobody came
forward offering help. If you had tried another distro like Ubuntu then
other Ubuntu users could have helped from their experience.

I take it that everything is now working ok and you can see all your
users, if so, I suggest you write up how you did it and get it published
somewhere.

Rowland

>
> - try to learn how kerberos is supposed to work before trying to use it
>
>
> Bye and thank you for your patience

[Luca Olivetti]

Al 30/08/13 21:53, En/na Luca Olivetti ha escrit:

> Al 30/08/13 21:49, En/na steve ha escrit:
>> On Fri, 2013-08-30 at 20:45 +0200, Luca Olivetti wrote:
>>>
>>> Casi, casi...
>>
>> Bueno. Algo es algo, pero todavía nos falta los atributos procedentes de
>> AD.
>> Saludos,
>
> Ya, el SIGSEV parece que sea debido a un problema con cyrus-sasl-2.1.25
>
> (for the non Spanish speaking audience: it seems that cyrus-sasl-2.1.25
> has a problem in gssapi.c causing a segfault)
>
> http://www.spinics.net/lists/cyrus-sasl/msg02004.html
>
> I'll try to build a version with the fix

Did it an it worked.

Lessons learned:

- make sure that the hostname is the same as the netbios name (or is
there a parameter to make it work when they are different?)

- don't listen to people suggesting to switch distributions (I know how
to debug/build things with mageia, I wouldn't know where to start with
another one)

- try to learn how kerberos is supposed to work before trying to use it

Bye and thank you for your patience

[Luca Olivetti]

Al 30/08/13 22:18, En/na Rowland Penny ha escrit:

> The reason why I suggested that you try another distro is that, as far
> as I can see, nobody else uses Mageia on this list, at least nobody came
> forward offering help. If you had tried another distro like Ubuntu then
> other Ubuntu users could have helped from their experience.

I understand that and I appreciate the time you took to help me, but I
still prefer to stumble and learn by myself instead of just copypasting
a recipe that's known working on distribution X. Because when
distribution X+1 comes along and things break I would be none the wiser.

>
> I take it that everything is now working ok and you can see all your
> users, if so, I suggest you write up how you did it and get it published
> somewhere.

Actually both the configuration proposed by steve and yours were OK. The
only problem was the hostname mismatch (causing the "server not found in
kerberos database" error) and then a faulty cyrus-sasl library.
I already filed a bug against the cyrus-sasl library in mageia.

Thank you again.

Bye

--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Rowland Penny]

On 30/08/13 21:28, Luca Olivetti wrote:
> Al 30/08/13 22:18, En/na Rowland Penny ha escrit:
>
>> The reason why I suggested that you try another distro is that, as far
>> as I can see, nobody else uses Mageia on this list, at least nobody came
>> forward offering help. If you had tried another distro like Ubuntu then
>> other Ubuntu users could have helped from their experience.
> I understand that and I appreciate the time you took to help me, but I
> still prefer to stumble and learn by myself instead of just copypasting
> a recipe that's known working on distribution X. Because when
> distribution X+1 comes along and things break I would be none the wiser.

Ah, but if you had tried it on another distro and it worked, you would
then know that it was not what you were doing that was at fault and that
something was wrong on Mageia, but as you say, you got there in the end.
I am also sure that you are feeling a lot better now that you have fixed
the problem.

>> I take it that everything is now working ok and you can see all your
>> users, if so, I suggest you write up how you did it and get it published
>> somewhere.
> Actually both the configuration proposed by steve and yours were OK. The
> only problem was the hostname mismatch (causing the "server not found in
> kerberos database" error) and then a faulty cyrus-sasl library.
> I already filed a bug against the cyrus-sasl library in mageia.

Typical Unix, there is always several ways to do the same thing ;-)

Rowland

>
> Thank you again.
>
> Bye

--

[steve]

On Fri, 2013-08-30 at 22:28 +0200, Luca Olivetti wrote:
> Al 30/08/13 22:18, En/na Rowland Penny ha escrit:

> >

> > I take it that everything is now working ok and you can see all your
> > users, if so, I suggest you write up how you did it and get it published
> > somewhere.
>

Hi
That's a good idea. Often, when we've been in production for while
without errors, we lose sight of what it was like at the beginning. If
there's anything here or in my sssd howto you would change it would be
great if you could let us have it as a real user who isn't averse to
getting his hands dirty. It's always best when it's still fresh in your
mind.

Actually both the configuration proposed by steve and yours were OK.
The
> only problem was the hostname mismatch (causing the "server not found in
> kerberos database" error) and then a faulty cyrus-sasl library.
> I already filed a bug against the cyrus-sasl library in mageia.
>
> Thank you again.

Interesting point; you've now sampled winbind, nslcd and sssd to the
same end. Have you made a decision as to which you'll be going with?

Que pases un buen finde.
Steve

[Marc Muehlfeld]

Am 30.08.2013 23:44, schrieb steve:
> That's a good idea. Often, when we've been in production for while
> without errors, we lose sight of what it was like at the beginning. If
> there's anything here or in my sssd howto you would change it would be
> great if you could let us have it as a real user who isn't averse to
> getting his hands dirty. It's always best when it's still fresh in your
> mind.

Today I continued working a bit on the sssd HowTo. I saw, that you three
had a long discussion, while I was out. I'll try to catch the important
stuff and include it in the HowTo. I think I have finalized and
re-validated everything until the beginning of next week.


Regards,
Marc

[Luca Olivetti]

Al 30/08/13 23:44, En/na steve ha escrit:

> Interesting point; you've now sampled winbind, nslcd and sssd to the
> same end. Have you made a decision as to which you'll be going with?

Well, the real deployment will take some time (measured in months rather
than weeks), I have a lot more to learn and I'm busy with other things.
I'm not still 100% convinced that I need to migrate from samba 3 to
samba 4, and once I am I have to explain it to my boss.
Anyway I think I'll go with sssd, my unscientific tests (time getent,
time id) tell me it's an order of magnitude faster than nslcd (both for
uncached and cached data).
winbind....I don't like it, for no particular reason. It also seems to
be the slowest of the pack.

>
> Que pases un buen finde.

Igualmente

Saludos

--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Rowland Penny]

On 30/08/13 23:14, Luca Olivetti wrote:
> Al 30/08/13 23:44, En/na steve ha escrit:
>
>> Interesting point; you've now sampled winbind, nslcd and sssd to the
>> same end. Have you made a decision as to which you'll be going with?
> Well, the real deployment will take some time (measured in months rather
> than weeks), I have a lot more to learn and I'm busy with other things.
> I'm not still 100% convinced that I need to migrate from samba 3 to
> samba 4, and once I am I have to explain it to my boss.
> Anyway I think I'll go with sssd, my unscientific tests (time getent,
> time id) tell me it's an order of magnitude faster than nslcd (both for
> uncached and cached data).
> winbind....I don't like it, for no particular reason. It also seems to
> be the slowest of the pack.

Hi, perhaps I can tell you something that will help you make your mind up.

Sometime in September, Samba 4.1 will be released, when it is, 4.0 will
move to maintenance mode, 3.6 will only get security fixes and 3.5 will
be discontinued.
So, do you really want to be basing a new installation on a version that
is either discontinued or only getting security fixes?

Rowland

[Marc Muehlfeld]

Am 31.08.2013 00:14, schrieb Luca Olivetti:
> I'm not still 100% convinced that I need to migrate from samba 3 to
> samba 4, and once I am I have to explain it to my boss.

Samba 4 != AD only

Samba 4 is the the next version after the 3.6 tree and contains
everything + AD DC functionality.

You can run Samba version 4 still as an NT4 domain if you or your boss
doesn't want to migrate to AD.

Regards,
Marc

[steve]

On Sat, 2013-08-31 at 00:14 +0200, Luca Olivetti wrote:
> Al 30/08/13 23:44, En/na steve ha escrit:
>
> > Interesting point; you've now sampled winbind, nslcd and sssd to the
> > same end. Have you made a decision as to which you'll be going with?
>
> Well, the real deployment will take some time (measured in months rather
> than weeks), I have a lot more to learn and I'm busy with other things.
> I'm not still 100% convinced that I need to migrate from samba 3 to
> samba 4, and once I am I have to explain it to my boss.
> Anyway I think I'll go with sssd, my unscientific tests (time getent,
> time id) tell me it's an order of magnitude faster than nslcd (both for
> uncached and cached data).
> winbind....I don't like it, for no particular reason. It also seems to
> be the slowest of the pack.

One site we run has 600 users all with rfc2307. The only way we can
getent the whole list is with sssd. I know it's a false test as I don't
suppose you'd ever need to do it, but with enumeration, winbind grinds
to around one user per minute after it's done around 200. Of course,
those blessed with modern hardware need only toss a 3 way coin.

Cheers,
Steve

[steve]

On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote:
>
> Am 31.08.2013 00:14, schrieb Luca Olivetti:
> > I'm not still 100% convinced that I need to migrate from samba 3 to
> > samba 4, and once I am I have to explain it to my boss.
>
>
> Samba 4 != AD only

Hi
I think the OP realises that. His main concern and problem was the usual
confusion with winbind and the mystery surrounding rfc2307 and it's
representation in and out of of AD.

In this thread, we've thrashed the merits of winbind, nslcd and sssd to
hell and soon thanks to your good self, we'll have readable howtos on
all three. Let's see if that serves to relieve the never ending series
of posts highlighting the lack of reliable, up to date and dare I say it
plain English and readable explanations of at least how to get started.

I feel we've made progress. Next time a winbind problem gets posted,
we'll be able to refer to 3 democratically produced howtos. Thanks to
Marc for listening to us and inviting us in on hos howtos, Luca his
patience in hearing us out 'till EOT and to Rowland for keeping me sane.
OpenSource at it's best.
Cheers,
Steve

[Luca Olivetti]

Al 31/08/13 15:23, En/na steve ha escrit:

> I feel we've made progress. Next time a winbind problem gets posted,
> we'll be able to refer to 3 democratically produced howtos. Thanks to
> Marc for listening to us and inviting us in on hos howtos, Luca his
> patience in hearing us out 'till EOT and to Rowland for keeping me sane.
> OpenSource at it's best.

An update on sssd+gssapi: I setup a client VM where I copied the keytab
and the sssd.conf of the server.
I got the same 'Server not found in Kerberos database' error.
I tried many things (adding the client address in samba 4 dns, install
samba 3 on the client and trying to join the domain, which, btw, I
didn't manage to do, trying to follow the instructions here
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server,
again, unsuccessfully, etc.).
What seems to have solved the problem has been setting the hostname to a
simple name without domain, e.g. changing it from "cliente.wetron.es" to
"cliente".
I really have to study this kerberos thingie ;-)

Bye

--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[Luca Olivetti]

Al 31/08/13 15:23, En/na steve ha escrit:

> On Sat, 2013-08-31 at 11:47 +0200, Marc Muehlfeld wrote:
>>
>> Am 31.08.2013 00:14, schrieb Luca Olivetti:
>>> I'm not still 100% convinced that I need to migrate from samba 3 to
>>> samba 4, and once I am I have to explain it to my boss.
>>
>>
>> Samba 4 != AD only
>
> Hi
> I think the OP realises that. His main concern and problem was the usual
> confusion with winbind and the mystery surrounding rfc2307 and it's
> representation in and out of of AD.

Actually, my main concern is ensuring a smooth migration with limited
downtime. I think I have the windows machine covered (that's what the
classicupgrade does), but I have several other services authenticating
against ldap and getting users and groups information from it.
They all should work equally well against an AD style LDAP and
"standard" LDAP, but, as always, the devil is in the details.
Yes, I could probably run it as an NT style domain, and I don't exclude
the possibility, but while I'm at it I'd really like to simplify things
instead of having to manage separate samba+ldap+dns servers.

Bye

--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Sat, 2013-08-31 at 17:25 +0200, Luca Olivetti wrote:
> Al 31/08/13 15:23, En/na steve ha escrit:
>
> > I feel we've made progress. Next time a winbind problem gets posted,
> > we'll be able to refer to 3 democratically produced howtos. Thanks to
> > Marc for listening to us and inviting us in on hos howtos, Luca his
> > patience in hearing us out 'till EOT and to Rowland for keeping me sane.
> > OpenSource at it's best.
>
> An update on sssd+gssapi: I setup a client VM where I copied the keytab
> and the sssd.conf of the server.
> I got the same 'Server not found in Kerberos database' error.
> I tried many things (adding the client address in samba 4 dns, install
> samba 3 on the client and trying to join the domain, which, btw, I
> didn't manage to do, trying to follow the instructions here
> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server,
> again, unsuccessfully, etc.).
> What seems to have solved the problem has been setting the hostname to a
> simple name without domain, e.g. changing it from "cliente.wetron.es" to
> "cliente".
> I really have to study this kerberos thingie ;-)

Hi
It doesn't work here either. The only way we can get it to authenicate
or join the domain is to add:
I.P.ADD.RRESS f.q.d.n short-hostname
of the DC to /etc/hosts

Steve

[steve]

Oh, and:
127.0.0.1 localhost f.q.d.n
127.0.0.1 short-hostname

[Luca Olivetti]

Al 31/08/13 18:00, En/na steve ha escrit:

>> Hi
>> It doesn't work here either. The only way we can get it to authenicate
>> or join the domain is to add:
>> I.P.ADD.RRESS f.q.d.n short-hostname
>> of the DC to /etc/hosts
>>
>> Steve
>>
>>
>>
>>
> Oh, and:
> 127.0.0.1 localhost f.q.d.n
> 127.0.0.1 short-hostname

That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was
already there, one of those previous failed attempts):

[root@cliente luca]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- WETRON
Joined 'CLIENTE' to dns domain 'wetron.es'
No DNS domain configured for cliente. Unable to perform DNS Update.
DNS update failed!

Why is it necessary?

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007

[steve]

On Sat, 2013-08-31 at 20:17 +0200, Luca Olivetti wrote:
> Al 31/08/13 18:00, En/na steve ha escrit:
>
> >> Hi
> >> It doesn't work here either. The only way we can get it to authenicate
> >> or join the domain is to add:
> >> I.P.ADD.RRESS f.q.d.n short-hostname
> >> of the DC to /etc/hosts
> >>
> >> Steve
> >>
> >>
> >>
> >>
> > Oh, and:
> > 127.0.0.1 localhost f.q.d.n
> > 127.0.0.1 short-hostname
>
> That last bit did it (the I.P.ADD.RRESS f.q.d.n short-hostname was
> already there, one of those previous failed attempts):
>
> [root@cliente luca]# net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- WETRON
> Joined 'CLIENTE' to dns domain 'wetron.es'
> No DNS domain configured for cliente. Unable to perform DNS Update.
> DNS update failed!
>
> Why is it necessary?

I think you may have had /etc/hostname with the fqdn, whereas it
_should_ only have the hostname.

IOW:
You have to have
hostname -s
return _just_ the hostname _without_ the domain.
And:
hostname -f
return the fqdn

I understand that you now have the domain join and sssd auth from the
keytab without either the DNS update nor the something not found errors?

Dare I mention that it is really nice with sssd v1.10 and above as it
gives us dynamic dns updates on the fly for Linux clients, just like
windows. Pero no digas nada a nadie lol.

Salu2,
Steve