[Samba] Samba 4 ldb_wrap open of idmap.ldb

steve steve at steve-ss.com
Wed Jan 18 00:27:16 MST 2012 

On 18/01/12 04:54, Andrew Bartlett wrote:
> On Sun, 2012-01-15 at 14:49 +0100, steve wrote:
>> Hi everyone
>> Version 4.0.0alpha18-GIT-bfc7481
>>
>> I'm using nslcd to map Samba 4 users to uid:gid and home directory. At
>> startup I get this:
> Why are you not using nss_winbind?
>
> I know the Samba4 winbindd (started as a component of 'samba') isn't in
> great shape, but it is the only way to get at the correct id mapping at
> the moment.
>
> There are many requests to get the UID/GID number back into LDAP (it
> once was!), but we haven't done that work yet.  Part of the issue is
> what to do when we need to allocate a new UID, as Microsoft's
> implementation has no allocation procedure to use as a pattern.
>
> Andrew Bartlett
>
Hi
I'm using nslcd because I'm using nfs4 as a file server and because it 
just works. I've added the uid:gid, home directory and shell to each 
samba 4 user and nslcd is mapping them fine. Linux and win 7 domain 
machines can read and write the shares from the samba 4 smb.conf just 
fine. We can work logged onto a Linux or win 7 box.

The point I'm stuck on is getting the Samba 4 kerberos to authenticate 
to the Samba 4 LDAP. I can connect by specifying the binnddn and 
password in nslcd.conf but it seems as though GSSAPI cannot find the 
ldap principal. But samba will not let me make a principal:

samba-tool spn add ldap host-account
hh3:/home/steve # samba-tool domain exportkeytab /etc/ldap.keytab 
--principal=ldap/HH3.SITE
ERROR(runtime): uncaught exception - Key table entry not found
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 167, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", 
line 88, in run
     net.export_keytab(keytab=keytab, principal=principal)

and the error on trying to connect:

ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:54046 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server 
ldap/hh3.site at HH3.SITE that was not found
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:54046
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:34450 for 
krbtgt/SITE at HH3.SITE [renewable]
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:34450
Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]

Question: how do I create a ldap principal for the realm HH3.SITE? I'm 
on openSUSE 12.1

Thanks for your time and patience,
Steve

More information about the samba mailing list