[Samba] Samba 4 and GSSAPI kerberos ldap connect
Gémes Géza
geza at kzsdabas.hu
Wed Jan 18 13:56:22 MST 2012
2012-01-18 12:12 keltezéssel, steve írta:
> On 01/17/2012 09:40 PM, Gémes Géza wrote:
>> Hi,
>>
>> See comments inline:
>>> Hi everyone
>>>
>>> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
>>> moment, I authenticate by specifying the binddn and password in
>>> /etc/nslcd.conf and all works fine
>>>
>>> If I add the line:
>>> sasl_mech GSSAPI
>> That should suffice, but please note, that nslcd should also have access
>> to some kind of keytab, to authenticate itself.
>> This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
>> looking like):
>>
>> # Defaults for nslcd init script
>>
>> # Whether to start k5start (for obtaining and keeping a Kerberos ticket)
>> # By default k5start is started if nslcd.conf has sasl_mech set to
>> GSSAPI
>> # and krb5_ccname is set to a file-type ticket cache.
>> # Set to "yes" to force starting k5start, any other value will not start
>> # k5start.
>> K5START_START="yes"
>>
>> # Options for k5start.
>> K5START_BIN=/usr/bin/k5start
>> K5START_KEYTAB=/etc/krb5.keytab
>> K5START_CCREFRESH=60
>> K5START_PRINCIPAL="host/$(hostname -f)"
>>
>> And must have k5start installed (it is wrapper which keeps fresh tickets
>> for long runing services)
>>> to /etc/nslcd.conf
>>> and restart nslcd, no one can connect to the database. Nothing works.
>>> ldapsearch and getent passwd draw a blank.
>>>
>>> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>>>
>>> gives me:
>>>
>>> dn:
>>> supportedSASLMechanisms: GSS-SPNEGO
>>> supportedSASLMechanisms: GSSAPI
>>> supportedSASLMechanisms: NTLM
>>>
>>> but ldapsearch -Y GSSAPI gives:
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>> additional info: SASL(-1): generic failure: GSSAPI Error:
>>> Unspecified GSS failure. Minor code may provide more information
>>> (Server not found in Kerberos database)
>>>
>> before you can do an SASL/GSSAPI based ldap operation you must have
>> valid kerberos tickets (so do a kinit first)!
>>> and Samba gives:
>>> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:56859
>>> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
>>> Kerberos: Searching referral for hh3.site
>>> Kerberos: Returning a referral to realm SITE for server
>>> ldap/hh3.site at HH3.SITE that was not found
>>> Failed find a single entry for
>>> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
>>> got 0
>>> Kerberos: samba_kdc_fetch: could not find principal in DB
>>> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
>>> entry found in hdb
>>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>>>
>>> I've tried making a ldap principal but samba-tool spn doesn't let me
>>> add an ldap principal.
>>> Any ideas anyone?
>>>
>>> Thanks,
>>> Steve
>> Regards
>>
>> Geza
> Hi Geza
>
> OK. Now on Ubuntu. I have k5init installed and have made a host
> principal:
>
> klist -k /etc/host.keytab
> Keytab name: WRFILE:/etc/host.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 host/HH3.SITE at HH3.SITE
> 1 host/HH3.SITE at HH3.SITE
> 1 host/HH3.SITE at HH3.SITE
>
> Just to be sure I have:
> ls -la /etc/host.keytab
> -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab
>
> cat /etc/default/nslcd
> # Defaults for nslcd init script
>
> # Whether to start k5start (for obtaining and keeping a Kerberos ticket)
> # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
> # and krb5_ccname is set to a file-type ticket cache.
> # Set to "yes" to force starting k5start, any other value will not start
> # k5start.
> K5START_START="yes"
>
> # Options for k5start.
> K5START_BIN=/usr/bin/k5start
> K5START_KEYTAB=/etc/host.keytab
> K5START_CCREFRESH=60
> #K5START_PRINCIPAL="host/$(hostname -f)"
> K5START_PRINCIPAL="host/HH3.SITE -f"
>
> I did kinit Administrator and have a cache in /tmp/krbcc_0
>
> cat /etc/nslcd.conf
> uid nslcd
> gid nslcd
>
> uri ldap://127.0.0.1
>
> base dc=hh3,dc=site
>
> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>
> map passwd uid sAMAccountName
> map passwd homeDirectory unixHomeDirectory
> map shadow uid sAMAccountName
>
> sasl_mech GSSAPI
> sasl_realm HH3.SITE
> krb5_ccname /tmp/krb5cc_0
>
> But:
>
> service nslcd restart
> * Restarting LDAP connection daemon
> nslcd [ OK ]
> * Stopping Keep alive Kerberos ticket
> k5start No process in pidfile
> '/var/run/nslcd/k5start_nslcd.pid' found running; none killed.
>
> [ OK ]
> * Starting Keep alive Kerberos ticket
> k5start k5start: error getting
> credentials: Client not found in Kerberos database
>
> [fail]
>
> [ OK ]
>
> and Samba gives:
> Kerberos: AS-REQ host/HH3.SITE at HH3.SITE from ipv4:192.168.1.3:38618
> for krbtgt/HH3.SITE at HH3.SITE
> Kerberos: UNKNOWN -- host/HH3.SITE at HH3.SITE: no such entry found in hdb
>
> Why isn't the host principal being found?
>
> Ahhgg!!
> Where to start?
> Any ideas?
> Cheers,
> Steve
>
Hi,
First of all /etc/host.keytab shouldn't be writable. But that is a
different story.
On the other hand kerberos could get confused by having a host principal
for the realm name (I've seen your realm is named HH3.SITE and your host
principal is host/HH3.SITE). I would create a special
nslcd-domain-account and extract the keytab for it, and use that
account+keytab. Or if you prefer create a host account for each host you
have and extract a keytab for each of them. The example I've sent you
uses the second method ($(hostname -f) returns the fqdn (if it is set in
/etc/hostname, a common mistake is to have just the first part set in
that file).
Another possible error sources could be:
K5START_PRINCIPAL="host/HH3.SITE -f" <- You definitely don't need a -f
there!
I wouldn't use a binddn with an sasl bind.
Regards
Geza
More information about the samba
mailing list