On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote:
Hi again,
Thanks a lot for guiding me so far :)
I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu
Quantal.
SSSD is configured against AD as auth/id - provider
sssd.conf
[sssd]
debug_level = 0x1310
config_file_version = 2
services = nss, pam
domains = nat.c.sdu.dk
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/nat.c.sdu.dk]
debug_level = 0x1310
enumerate = False
min_id = 1000
max_id = 20000
auth_provider = ad
id_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = nat.c.sdu.dk
ad_hostname = testina4$.nat.c.sdu.dk
ad_domain = nat.c.sdu.dk
From log:
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000):
Saving the first resolved server
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200):
Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing
sasl bind mech: gssapi, user: testina4$
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100):
Marking port 0 of server 'nat.c.sdu.dk' as 'not working
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status
of server 'nat.c.sdu.dk' is 'name resolved'
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port
status of port 0 for server 'nat.c.sdu.dk' is 'not working'
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000):
Server resolution failed: 5
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request
processed. Returned 1,11,Offline
(Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200):
Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or
directory
There is not all the information in the log, raising the debug_level
might provide more info, but I think the problem is in the kinit.
Can you kinit as the principal specified in the ad_hostname and then
ldapsearch the directory?
Are you sure about the principal in ad_hostname? I think it is typically
HOST$@DOMAIN, your principal doesn't contain the at-sign.