12:04 p.m.
Hi!
I've set up samba4 as ad-dc -- worked right away.
Exported the keytab. "klist -ke" looks good:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 Administrator(a)ADA.DE (aes256-cts-hmac-sha1-96)
1 Administrator(a)ADA.DE (aes128-cts-hmac-sha1-96)
1 Administrator(a)ADA.DE (arcfour-hmac)
1 Administrator(a)ADA.DE (etype 3)
1 Administrator(a)ADA.DE (etype 1)
1 krbtgt(a)ADA.DE (aes256-cts-hmac-sha1-96)
1 krbtgt(a)ADA.DE (aes128-cts-hmac-sha1-96)
1 krbtgt(a)ADA.DE (arcfour-hmac)
1 krbtgt(a)ADA.DE (etype 3)
1 krbtgt(a)ADA.DE (etype 1)
1 AD01$(a)ADA.DE (aes256-cts-hmac-sha1-96)
1 AD01$(a)ADA.DE (aes128-cts-hmac-sha1-96)
1 AD01$(a)ADA.DE (arcfour-hmac)
1 AD01$(a)ADA.DE (etype 3)
1 AD01$(a)ADA.DE (etype 1)
checked kinit with the servers name:
# kinit -k AD01\$(a)ADA.DE
# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: AD01$(a)ADA.DE
Valid starting Expires Service principal
25.10.2019 19:00:20 26.10.2019 05:00:20 krbtgt/ADA.DE(a)ADA.DE
erneuern bis 01.11.2019 18:00:20
looks good too.
Then configured sssd:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, pac
domains = ADA.DE
#debug_level = 0x0270
[domain/ADA.DE]
enumerate = true
cache_credentials = true
id_provider = ad
auth_provider = ad
sudo_provider = none
chpass_provider = ad
access_provider = ad
ad_server = ad01.ada.de, ad02.ada.de
ad_maximum_machine_account_password_age = 30
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%d/%u
fallback_shell = /bin/bash
skel_dir = /etc/skel
ldap_schema = ad
dyndns_update = false
dyndns_refresh_interval = 43200
dyndns_update_ptr = false
dyndns_ttl = 3600
debug_level = 0x0270
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
#debug_level = 0x0270
[pam]
reconnection_retries = 3
#debug_level = 0x0270
[pac]
reconnection_retries = 3
#debug_level = 0x0270
Then tried:
# getent passwd Administrator(a)ADA.DE
#
and got nothing.
Any idea anyone?
--
Thomas
4:59 a.m.
On 10/25/19 7:04 PM, Thomas Schweikle wrote:
Hi!
I've set up samba4 as ad-dc -- worked right away.
Exported the keytab. "klist -ke" looks good:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 Administrator(a)ADA.DE <mailto:Administrator@ADA.DE>
(aes256-cts-hmac-sha1-96)
1 Administrator(a)ADA.DE <mailto:Administrator@ADA.DE>
(aes128-cts-hmac-sha1-96)
1 Administrator(a)ADA.DE <mailto:Administrator@ADA.DE> (arcfour-hmac)
1 Administrator(a)ADA.DE <mailto:Administrator@ADA.DE> (etype 3)
1 Administrator(a)ADA.DE <mailto:Administrator@ADA.DE> (etype 1)
1 krbtgt(a)ADA.DE <mailto:krbtgt@ADA.DE> (aes256-cts-hmac-sha1-96)
1 krbtgt(a)ADA.DE <mailto:krbtgt@ADA.DE> (aes128-cts-hmac-sha1-96)
1 krbtgt(a)ADA.DE <mailto:krbtgt@ADA.DE> (arcfour-hmac)
1 krbtgt(a)ADA.DE <mailto:krbtgt@ADA.DE> (etype 3)
1 krbtgt(a)ADA.DE <mailto:krbtgt@ADA.DE> (etype 1)
1 AD01$(a)ADA.DE <http://ADA.DE> (aes256-cts-hmac-sha1-96)
1 AD01$(a)ADA.DE <http://ADA.DE> (aes128-cts-hmac-sha1-96)
1 AD01$(a)ADA.DE <http://ADA.DE> (arcfour-hmac)
1 AD01$(a)ADA.DE <http://ADA.DE> (etype 3)
1 AD01$(a)ADA.DE <http://ADA.DE> (etype 1)
checked kinit with the servers name:
# kinit -k AD01\$(a)ADA.DE <http://ADA.DE>
# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: AD01$(a)ADA.DE <http://ADA.DE>
Valid starting Expires Service principal
25.10.2019 19:00:20 26.10.2019 05:00:20 krbtgt/ADA.DE(a)ADA.DE
<mailto:ADA.DE@ADA.DE>
erneuern bis 01.11.2019 18:00:20
looks good too.
Then configured sssd:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, pac
domains = ADA.DE <http://ADA.DE>
#debug_level = 0x0270
[domain/ADA.DE <http://ADA.DE>]
enumerate = true
cache_credentials = true
id_provider = ad
auth_provider = ad
sudo_provider = none
chpass_provider = ad
access_provider = ad
ad_server = ad01.ada.de <http://ad01.ada.de>;, ad02.ada.de
<http://ad02.ada.de>
ad_maximum_machine_account_password_age = 30
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%d/%u
fallback_shell = /bin/bash
skel_dir = /etc/skel
ldap_schema = ad
dyndns_update = false
dyndns_refresh_interval = 43200
dyndns_update_ptr = false
dyndns_ttl = 3600
debug_level = 0x0270
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
#debug_level = 0x0270
[pam]
reconnection_retries = 3
#debug_level = 0x0270
[pac]
reconnection_retries = 3
#debug_level = 0x0270
Then tried:
# getent passwd Administrator(a)ADA.DE <mailto:Administrator@ADA.DE>
#
and got nothing.
Any idea anyone?
--
Thomas
Hi Thomas,
please set debug_level = 0x3ff0 in all sections and send us logs in
/var/log/sssd.
1633
days inactive
1638
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Pavel Březina -
Thomas Schweikle