DC demote

Michael Wood esiotrot at gmail.com
Wed Jan 5 12:24:22 MST 2011 

Sorry, my previous message was meant to go to the list, so I'm sending
this one there.

On 5 January 2011 20:36, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> Hi Michael,

> thanks for pointing me to right direction. It was really lack of the
> libraries installed. Now it gives me invalid credentials error:

> ldapsearch -Y gssapi -h 10.0.1.4 -b CN=Users,DC=kkkk,DC=cz sAMAccountName
> -vvv
> ldap_initialize( ldap://10.0.1.4 )
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)

> which is quite strange since I am already authenticated with kinit ... ?
> (klist -e showed me I have a ticket from kerberos).

Yes, that is strange.  I must admit to not having tried it with a very
recent version of Samba, but I don't see why it should not work.

> Or is there something else to perform?

No, I don't think anything else should be needed.  As long as the
Kerberos server you got the ticket from is the same installation of
Samba 4 as the LDAP server you are talking to (or another DC in the
same AD/domain/whatever) then it should work.

Does it make a difference if you try kinit Administrator instead of a
normal user?  (Although it works for me as a normal user too.)

> Sorry for maybe silly bothering.

No problem :)

> 2011/1/5 Michael Wood <esiotrot at gmail.com>
>>
>> On 4 January 2011 21:01, Vaclav Klecanda <vencax77 at gmail.com> wrote:
>> > Sorry I forgot:
>>
>> > I use an older version (alpha12) that I was able to list content with
>> > anonymous bind. Now when I tested with current version this seems to be
>> > impossible. So this is ok now.
>>
>> > Concerning the "I use port 389": I meant that I normally start the
>> > samba4
>> > binary which also starts the build-in ldap server (on default 389
>> > server).
>> > Nothing special except the fact I am not able to bind it. So I still
>> > search
>> > working solution how to do it.
>>
>> I think it would be best to verify that it works with ldapsearch first.
>>
>> Try something like this:
>>
>> $ kinit vena
>> $ ldapsearch -Y gssapi -h 10.0.1.4 -b CN=Users,DC=mydomain,DC=cz
>> sAMAccountName
>>
>> If you also get an error about the SASL mechanism not being found,
>> make sure you have the necessary package.  On Ubuntu/Debian it is
>> called libsasl2-modules-gssapi-heimdal (or
>> libsasl2-modules-gssapi-mit).

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list