Rowland Penny | 29 Aug 21:54 2013

Re: objectClass:posixAccount missing

On 29/08/13 20:41, Luca Olivetti wrote:
> Al 29/08/13 21:20, En/na Rowland Penny ha escrit:
>> On 29/08/13 20:17, Luca Olivetti wrote:
>>> Al 29/08/13 21:15, En/na Luca Olivetti ha escrit:
>>>> Al 29/08/13 21:02, En/na Rowland Penny ha escrit:
>>>>
>>>>> Hi, that should be 'samba-tool domain exportkeytab /etc/krb5.keytab -U
>>>>> Administrator'
>>>> Thank you, that worked *but* we're back to square one: migrated users
>>>> (with the posixAccount class) show up but new users don't.
>>> Oops, sorry, actually it didn't work, I forgot that in the meantime I
>>> changed nsswitch.conf to use ldap instead of nss :-(
>>>
>>> Bye
>> Sorry but I am losing the plot here a bit, I thought because you wanted
>> the keytab, you were now trying to get sssd to work.
> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
> to ldap, so I thought your suggestion was working while it actually
> wasn't (same error with Administrator as with HP$).
>
> Bye
Hi, I am replying to you on list, could you please post your sssd.conf 
and what version of sssd you are using, also what is your OS

Rowland

--

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

(Continue reading)

Luca Olivetti | 30 Aug 00:34 2013
Picon

Re: objectClass:posixAccount missing

Al 29/08/13 21:54, En/na Rowland Penny ha escrit:

>> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
>> to ldap, so I thought your suggestion was working while it actually
>> wasn't (same error with Administrator as with HP$).
>>
>> Bye
> Hi, I am replying to you on list, could you please post your sssd.conf
> and what version of sssd you are using, also what is your OS

OK, now I got sssd working *but* without kerberos.
The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the
one posted by steve
(http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html)
modified for my domain and with kerberos options commented out of the way:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
ldap_schema = rfc2307bis
access_provider = simple
enumerate = FALSE
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
(Continue reading)

steve | 30 Aug 10:11 2013

Re: objectClass:posixAccount missing

On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote:
> Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
> 
> >> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
> >> to ldap, so I thought your suggestion was working while it actually
> >> wasn't (same error with Administrator as with HP$).
> >>
> >> Bye
> > Hi, I am replying to you on list, could you please post your sssd.conf
> > and what version of sssd you are using, also what is your OS
> 
> OK, now I got sssd working *but* without kerberos.

Hi
I'm not sure what you want. Is this now EOT or do you want to go on and
debug to get gssapi?

If you wish to go on:
samba-tool domain exportkeytab /etc/krb5.sssd.keytab
--principal=nslcd-connect
(You may already have this from your nslcd config)
Kill all nslcd processes.

ldap_sasl_mech = gssapi
ldap_sasl_authid = nslcd-connect
ldap_krb5_keytab = /etc/krb5.sssd.keytab

To get full benefit from sssd I'd recommend the latest version which has
a proper AD backend. e.g. sssd version 1.11.1 gives you id and getent
without requiring the posixAccount objectClass.
(Continue reading)

Luca Olivetti | 30 Aug 16:34 2013
Picon

Re: objectClass:posixAccount missing

Al 30/08/13 10:11, En/na steve ha escrit:
> On Fri, 2013-08-30 at 00:34 +0200, Luca Olivetti wrote:
>> Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
>>
>>>> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
>>>> to ldap, so I thought your suggestion was working while it actually
>>>> wasn't (same error with Administrator as with HP$).
>>>>
>>>> Bye
>>> Hi, I am replying to you on list, could you please post your sssd.conf
>>> and what version of sssd you are using, also what is your OS
>>
>> OK, now I got sssd working *but* without kerberos.
> 
> Hi
> I'm not sure what you want. Is this now EOT or do you want to go on and
> debug to get gssapi?

Well, I'd like to get gssapi working

> 
> If you wish to go on:
> samba-tool domain exportkeytab /etc/krb5.sssd.keytab
> --principal=nslcd-connect
> (You may already have this from your nslcd config)

done

> Kill all nslcd processes.

(Continue reading)

Rowland Penny | 30 Aug 11:41 2013

Re: objectClass:posixAccount missing

On 29/08/13 23:34, Luca Olivetti wrote:
> Al 29/08/13 21:54, En/na Rowland Penny ha escrit:
>
>>> Yes, I was trying sssd, but I forgot that I switched back nsswitch.conf
>>> to ldap, so I thought your suggestion was working while it actually
>>> wasn't (same error with Administrator as with HP$).
>>>
>>> Bye
>> Hi, I am replying to you on list, could you please post your sssd.conf
>> and what version of sssd you are using, also what is your OS
> OK, now I got sssd working *but* without kerberos.
> The OS is Linux, mageia 3, sssd is 1.9.4, the sssd.conf is just like the
> one posted by steve
> (http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html)
> modified for my domain and with kerberos options commented out of the way:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = default
> [nss]
> [pam]
> [domain/default]
> ldap_schema = rfc2307bis
> access_provider = simple
> enumerate = FALSE
> cache_credentials = true
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
(Continue reading)

Luca Olivetti | 30 Aug 16:48 2013
Picon

Re: objectClass:posixAccount missing

Al 30/08/13 11:41, En/na Rowland Penny ha escrit:

> OK, try this sssd.conf that I have altered for your setup, it is based
> on the sssd.conf on the machine that I am typing this on and it works,
> you just need the krb5.keytab that I told you how to create earlier.

That was

/usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
Administrator

yes?

[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
trying to select the most appropriate principal from keytab
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching template.wetron.es <at> WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching TEMPLATE$ <at> WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
principal matching host/template.wetron.es <at> WETRON.ES found in keytab.
[[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
Selected principal: dept-66f575a885$ <at> WETRON.ES
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
name is: [dept-66f575a885$ <at> WETRON.ES]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
keytab [default]
[[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
canonicalize principals
[[sssd[ldap_child[8011]]]] [prepare_response] (0x0400): Building
(Continue reading)

Rowland Penny | 30 Aug 17:05 2013

Re: objectClass:posixAccount missing

On 30/08/13 15:48, Luca Olivetti wrote:
> Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
>
>> OK, try this sssd.conf that I have altered for your setup, it is based
>> on the sssd.conf on the machine that I am typing this on and it works,
>> you just need the krb5.keytab that I told you how to create earlier.
> That was
>
> /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> Administrator
>
> yes?
Correct, though I do not understand why you are using the full path to 
samba-tool

> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> trying to select the most appropriate principal from keytab
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching template.wetron.es <at> WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching TEMPLATE$ <at> WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
> principal matching host/template.wetron.es <at> WETRON.ES found in keytab.
> [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> Selected principal: dept-66f575a885$ <at> WETRON.ES
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Principal
> name is: [dept-66f575a885$ <at> WETRON.ES]
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Using
> keytab [default]
> [[sssd[ldap_child[8011]]]] [ldap_child_get_tgt_sync] (0x0100): Will
(Continue reading)

steve | 30 Aug 18:15 2013

Re: objectClass:posixAccount missing

On Fri, 2013-08-30 at 16:05 +0100, Rowland Penny wrote:
> On 30/08/13 15:48, Luca Olivetti wrote:
> > Al 30/08/13 11:41, En/na Rowland Penny ha escrit:
> >
> >> OK, try this sssd.conf that I have altered for your setup, it is based
> >> on the sssd.conf on the machine that I am typing this on and it works,
> >> you just need the krb5.keytab that I told you how to create earlier.
> > That was
> >
> > /usr/local/samba/bin/samba-tool domain exportkeytab /etc/krb5.keytab -U
> > Administrator
> >
> 

Hi
This command dumps the _whole_ of the database to the keytab, so you
must choose which key you are going to use for:
ldap_sasl_authid

If you really do need al the keys there then could you send us a
santised dump of the keytab so we can decide a good key to use? And more
importantly one which is definitely present?

klist -k /etc/krb5.keytab

It is generally recommended to only dump the keys you need. 

> > [[sssd[ldap_child[8011]]]] [select_principal_from_keytab] (0x0200):
> > trying to select the most appropriate principal from keytab
> > [[sssd[ldap_child[8011]]]] [find_principal_in_keytab] (0x0400): No
(Continue reading)

Luca Olivetti | 30 Aug 18:26 2013
Picon

Re: objectClass:posixAccount missing

Al 30/08/13 17:05, En/na Rowland Penny ha escrit:

> Correct, though I do not understand why you are using the full path to
> samba-tool

Because it's not in PATH

> Where did you get samba4 from, did you compile it yourself?

Yes

> what
> version?

4.0.8 (4.0.9 wasn't yet available when I started the experiment)

> what OS are you using, if you did compile it yourself, what
> packages did you install before compiling.

I'm using linux, mageia 3, I installed every -devel package providing
the .h files I saw in ./configure output (minus libldb since the
packaged one is not compatible with samba 4 and would produce a non
working samba)

> You could try stopping sssd and then remove the sssd databases: rm -f
> /var/lib/sss/db/* (this is on Ubuntu)

Already done

> 
(Continue reading)

Rowland Penny | 30 Aug 19:00 2013

Re: objectClass:posixAccount missing

On 30/08/13 17:26, Luca Olivetti wrote:
> Al 30/08/13 17:05, En/na Rowland Penny ha escrit:
>
>> Correct, though I do not understand why you are using the full path to
>> samba-tool
> Because it's not in PATH
Then you need to alter your PATH environmental variable, I do this on 
Ubuntu:

echo "PATH=/usr/local/samba/bin:/usr/local/samba/sbin:\$PATH" > 
/etc/profile.d/samba4.sh
export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH

>
>> Where did you get samba4 from, did you compile it yourself?
> Yes
>
>> what
>> version?
> 4.0.8 (4.0.9 wasn't yet available when I started the experiment)
>
>> what OS are you using, if you did compile it yourself, what
>> packages did you install before compiling.
> I'm using linux, mageia 3, I installed every -devel package providing
> the .h files I saw in ./configure output (minus libldb since the
> packaged one is not compatible with samba 4 and would produce a non
> working samba)

Then the package names needed to compile samba are probably the same as 
RHEL:
(Continue reading)

Luca Olivetti | 30 Aug 19:30 2013
Picon

Re: objectClass:posixAccount missing

Al 30/08/13 19:00, En/na Rowland Penny ha escrit:

> 
> The above was taken from:
> https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS

Yes, I read the wiki before starting, I have all the dependencies installed

> 
> Check that you have all the above installed and if not, install what
> ever is missing and recompile samba 4
> Also, it may help if you try another OS, no disrespect, but Mageia is
> not really what I would call a server distro and is probably not used by
> many people to run samba 4 on, so you will struggle to get precise help
> here (ducks as thousands of people reply saying I use Mageia ;-) )

Thank you, but I will do with generic help, I can perform the necessary
"translations". I tried other distributions and I found them lacking
(probably because I'm just used to mageia), usually the server packages
in mageia (and mandriva before it) have been top notch, samba 4 is not
packaged (yet) but it will be soon.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
--

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
(Continue reading)

steve | 30 Aug 19:52 2013

Re: objectClass:posixAccount missing

On Fri, 2013-08-30 at 19:30 +0200, Luca Olivetti wrote:
> Al 30/08/13 19:00, En/na Rowland Penny ha escrit:
> 
> > 
> > The above was taken from:
> > https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Red_Hat_Enterprise_Linux_or_CentOS
> 
> Yes, I read the wiki before starting, I have all the dependencies installed
> 
> > 
> > Check that you have all the above installed and if not, install what
> > ever is missing and recompile samba 4
> > Also, it may help if you try another OS, no disrespect, but Mageia is
> > not really what I would call a server distro and is probably not used by
> > many people to run samba 4 on, so you will struggle to get precise help
> > here (ducks as thousands of people reply saying I use Mageia ;-) )
> 
> Thank you, but I will do with generic help, I can perform the necessary
> "translations". I tried other distributions and I found them lacking
> (probably because I'm just used to mageia), usually the server packages
> in mageia (and mandriva before it) have been top notch, samba 4 is not
> packaged (yet) but it will be soon.

Just thinking out loud but there have been problems with nslcd and I
think winbind too before this. I don't know if this be possible and I
know that the devs would frown upon it, but maybe we've reached the time
for a rebuild over bare metal. Rowlands suggestion of a recompile gets a
+1 from me.
Cheers,
Steve
(Continue reading)


Gmane