samba-generated keytab and ldap
Thomas Muders
muders at uni-mainz.de
Mon Aug 2 16:08:56 GMT 2004
Hello,
I'm running the current SVN snapshot of samba 3 (3.0.7pre1-SVN-build-1616),
all works well.
What I want to do is: make a kinit with the computer account to update
certain LDAP attributes in the Active Directory. I tried obtaining a ticket
with kinit -k -t but I could not figure out how (or if) it is possible to
get a TGT for then doing ldapmodify -Y gssapi. It must be possible somehow,
otherwise Samba could not search LDAP successfully with net ads search :-)
(or does that use a password cached in a tdb file? I use "use kerberos
keytab = yes).
Is it possible to get a ticket, usable with ldapmodify, or is there some
trick involved?
Then, I have a second problem. A few days ago I set up kerberized ftp (as a
test, I created a keytab entry with net ads keytab add) and it worked.
Later on, I joined the computer again to the domain, and after this, I
could not get kerberized ftp running. (it could not authorize the user).
Now it's even more bad, I get
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Server not found in Kerberos database
GSSAPI error: initializing context
GSSAPI authentication failed
after updating to a never SVN snapshot. As we changed the DNS: is there any
known problem with MIT Kerberos if the reverse DNS name is not equal to the
host name?
Then an important detail: Our Windows (2K3) Domain name is ZDV-MAINZ.DE,
but the FQDN of the host is bender.zdv.zdv-mainz.de. Samba creates in the
AD an SPN of the form HOST/bender.zdv-mainz.de, but in the keytab it shows
up as HOST/bender.zdv.zdv-mainz.de at ZDV-MAINZ.DE. Likewise with CIFS and
FTP. This could be source of problems too.
I hope my mail was not too unstructured, but it would be absolutely great
if I could get those working. Actually it does not have to be kerberized
ftp, only I use that as a test; later maybe we want to use kerberized lpr
or sshd.
If you need more details, pls request them.
As a CIFS Fileserver, it runs like a charm, I am really happy with it :-)
best regards,
Thomas
--
muders at Uni-Mainz.DE | Johannes Gutenberg-Universität Mainz
Systemabteilung/Unix | Zentrum für Datenverarbeitung
Tel: +49-6131-39-26015 | 55099 Mainz
Fax: +49-6131-39-56015 | Tel: +49-6131-3926300
More information about the samba-technical
mailing list