[Samba] login via Samba 4 LDAP
Gémes Géza
geza at kzsdabas.hu
Thu Dec 29 11:14:32 MST 2011
2011-12-29 12:56 keltezéssel, steve írta:
> On 29/12/11 11:58, Gémes Géza wrote:
>> 2011-12-29 10:11 keltezéssel, steve írta:
>>> On 29/12/11 10:00, steve wrote:
>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>> for it
>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>> nss-ldap
>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>> allowed
>>>>>> to bind anonymously to your AD server (you can try with
>>>>>> ldapsearch -x)
>>>>> LDAP works with an anonymous bind. You need the Kerberos keytab for
>>>>> authentication though.
>>>>>
>>>> steve at hh3:~> ldapsearch -x
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base<DC=hh3,DC=site> (default) with scope subtree
>>>> # filter: (objectclass=*)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 1 Operations error
>>>> text: 00002020: Operation unavailable without authentication
>>>>
>>>> # numResponses: 1
>>>>
>>>>
>>>>
>>>> I found this usage:
>>>>
>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>
>>>> How can I find my PATH_TO_KEYTAB
>>>> ?
>>>> Thanks
>>> Can't get the syntax right:
>>>
>>> samba-tool domain exportkeytab /var/lib/named/master --principal
>>>
>>> Usage: samba-tool domain exportkeytab<keytab> [options]
>>>
>>> samba-tool domain exportkeytab: error: --principal option requires an
>>> argument
>>>
>> samba-tool domain exportkeytab
>> /path/to/the/keytab/file/you/want/to/create/or/update
>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>>
>>
>> Regards
>>
>> Geza
> Tried:
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>
> restarted samba but:
>
> su steve4
> su: user steve4 does not exist
>
> Am I getting close or should I give up now?!
>
> Steve
>
>
>
You still need to configure nss-ldap to do a kerberized bind.
I've found example configurations for nslcd (the daemon part of
nss-ldapd a fork of nss-ldap) at:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
http://ubuntuforums.org/archive/index.php/t-1335022.html
Regards
Geza
More information about the samba
mailing list