Samba4 beta6. CentOS 6.3. I have a CentOS client, using sssd, bound to a samba4 domain. The sssd configuration uses GSSAPI to bind to the directory. In both scenarios below, kerberos is fine, DNS is fine, I can use ldapsearch and bind to the directory with GSSAPI just fine, etc. If I have just one DC, everything works perfectly well for weeks on end. If I have two or more DC's, everything works fine when the machine is first bound to the domain. Sssd caches the login info, but eventually this times out and another call to Samba has to be made to refresh the cache. The SASL bind to the directory fails with: (Wed Aug 29 11:40:56 2012) [sssd[be[SAMBA4]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (49)[Invalid credentials] Some time later, it starts working again, presumably because the first DC popped up in the name resolution order once again. The client configuration is unchanged from the first (working) scenario. As I said, everything works perfectly with one DC, and fails consistently with two or more. I have verified that the machine's unicodePwd is the same in each database. This is a serious showstopper. Any clues? Steve
On Wed, 29 Aug 2012, Steve Thompson wrote:> (Wed Aug 29 11:40:56 2012) [sssd[be[SAMBA4]]] [sasl_bind_send] (0x0020): > ldap_sasl_bind failed (49)[Invalid credentials]More information. If I have two DC's, dc1 and dc2, and I point ldap_uri and krb5_server in sssd.conf directly at dc1, it always works. If I point either of those parameters at dc2, it always fails. Replication looks clean, and the machine's unicodePwd is the same on both DC's. I have verified this with several different clients and DC setups, using beta3, beta4 and beta6. I'm not using any custom schema. So now where do I go? Steve
On Wed, 29 Aug 2012, Steve Thompson wrote:> Samba4 beta6. CentOS 6.3. > > I have a CentOS client, using sssd, bound to a samba4 domain. The sssd > configuration uses GSSAPI to bind to the directory. In both scenarios below, > kerberos is fine, DNS is fine, I can use ldapsearch and bind to the directory > with GSSAPI just fine, etc. > > If I have just one DC, everything works perfectly well for weeks on end. > > If I have two or more DC's, everything works fine when the machine is first > bound to the domain. Sssd caches the login info, but eventually this times > out and another call to Samba has to be made to refresh the cache. The SASL > bind to the directory fails with: > > (Wed Aug 29 11:40:56 2012) [sssd[be[SAMBA4]]] [sasl_bind_send] (0x0020): > ldap_sasl_bind failed (49)[Invalid credentials] > > Some time later, it starts working again, presumably because the first DC > popped up in the name resolution order once again. The client configuration > is unchanged from the first (working) scenario.After much weeping and gnashing of teeth, it appears that this one is down to sssd. I had specified ldap_uri in sssd.conf as pointing to the round-robin DNS entry: ldap_uri = ldap://realm.foo.bar.baz where realm.foo.bar.baz is created in DNS by samba4, and points to six IP addresses (two DC's with three interfaces each). It turns out that this is not supported by sssd (really, wtf?). By changing it to point to the IP addresses: ldap_uri = ldap://<ip-of-dc1>,ldap://<ip-of-dc2> with two corresponding kdc entries in krb5.conf, it now appears to work (including if I shut down dc1). Steve