samba-generated keytab and ldap

Thomas Muders muders at uni-mainz.de
Mon Aug 2 16:08:56 GMT 2004


Hello,

I'm running the current SVN snapshot of samba 3 (3.0.7pre1-SVN-build-1616), 
all works well.
What I want to do is: make a kinit with the computer account to update 
certain LDAP attributes in the Active Directory. I tried obtaining a ticket 
with kinit -k -t but I could not figure out how (or if) it is possible to 
get a TGT for then doing ldapmodify -Y gssapi. It must be possible somehow, 
otherwise Samba could not search LDAP successfully with net ads search :-) 
(or does that use a password cached in a tdb file? I use "use kerberos 
keytab = yes).
Is it possible to get a ticket, usable with ldapmodify, or is there some 
trick involved?

Then, I have a second problem. A few days ago I set up kerberized ftp (as a 
test, I created a keytab entry with net ads keytab add) and it worked. 
Later on, I joined the computer again to the domain, and after this, I 
could not get kerberized ftp running. (it could not authorize the user). 
Now it's even more bad, I get
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Server not found in Kerberos database
GSSAPI error: initializing context
GSSAPI authentication failed
after updating to a never SVN snapshot. As we changed the DNS: is there any 
known problem with MIT Kerberos if the reverse DNS name is not equal to the 
host name?
Then an important detail: Our Windows (2K3) Domain name is ZDV-MAINZ.DE, 
but the FQDN of the host is bender.zdv.zdv-mainz.de. Samba creates in the 
AD an SPN of the form HOST/bender.zdv-mainz.de, but in the keytab it shows 
up as HOST/bender.zdv.zdv-mainz.de at ZDV-MAINZ.DE. Likewise with CIFS and 
FTP. This could be source of problems too.
I hope my mail was not too unstructured, but it would be absolutely great 
if I could get those working. Actually it does not have to be kerberized 
ftp, only I use that as a test; later maybe we want to use kerberized lpr 
or sshd.
If you need more details, pls request them.
As a CIFS Fileserver, it runs like a charm, I am really happy with it :-)

best regards,
       Thomas

-- 
muders at Uni-Mainz.DE        |  Johannes Gutenberg-Universität Mainz
Systemabteilung/Unix       |         Zentrum für Datenverarbeitung
Tel: +49-6131-39-26015     |                           55099 Mainz
Fax: +49-6131-39-56015     |                 Tel: +49-6131-3926300



More information about the samba-technical mailing list