samba with openldap provisioning

Thu Sep 5 00:03:22 CEST 2013

On Wed, 2013-09-04 at 20:27 +0300, Nadezhda Ivanova wrote:
> Hi Andrew,
> At which point are you getting the invalid dn error?

It was just the last message 'samba' printed when I ran it against the
LDAP backend.  

> I can't get this far, at this point I cannot make an ldapsearch with
> Administrator, according to the logs the dn is not being found, so I'll dig
> on that. Anonymous bind works though. I am seeing some "Unrecognised
> control" messages in the slapd log, hopefully tomorrow I'll find out what
> the problem is.
> 
> Also I see this: scripts like dnsupdate and samba_kcc seem to have a
> problem with kerberos, I keep getting this in the logs:
> 
> /usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism
> gssapi_krb5_sasl
> Kerberos: AS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
> 192.168.11.146:46353 for krbtgt/TESTDOMAIN.NADYA.ORG at TESTDOMAIN.NADYA.ORG
> Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success
> Completed SPN update check OK
> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- DRIZZIT$@
> TESTDOMAIN.NADYA.ORG
> /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
> 287
> Kerberos: AS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
> 192.168.11.146:40831 for krbtgt/TESTDOMAIN.NADYA.ORG at TESTDOMAIN.NADYA.ORG
> Kerberos: Client sent patypes: encrypted-timestamp
> Kerberos: Looking for PKINIT pa-data -- DRIZZIT$@TESTDOMAIN.NADYA.ORG
> Kerberos: Looking for ENC-TS pa-data -- DRIZZIT$@TESTDOMAIN.NADYA.ORG
> Kerberos: ENC-TS Pre-authentication succeeded -- DRIZZIT$@
> TESTDOMAIN.NADYA.ORG using arcfour-hmac-md5
> Kerberos: AS-REQ authtime: 2013-09-04T20:16:14 starttime: unset endtime:
> 2013-09-05T06:16:14 renew till: unset
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
> using arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: forwardable
> /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
> 1283
> Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
> 192.168.11.146:52105 for ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG [canonicalize]
> Kerberos: Searching referral for DRIZZIT.testdomain.nadya.org
> Kerberos: Server not found in database: ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
> hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:52105
> /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
> 107
> Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
> 192.168.11.146:33524 for ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG
> Kerberos: Server not found in database: ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
> hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:33524
> /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
> 107
> Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
> 192.168.11.146:45045 for ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG [canonicalize]
> Kerberos: Searching referral for DRIZZIT.testdomain.nadya.org
> Kerberos: Server not found in database: ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
> hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:45045
> /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
> 107
> Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
> 192.168.11.146:39297 for ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG
> Kerberos: Server not found in database: ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
> hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:39297
> /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
> 107
> /usr/local/samba/sbin/samba_dnsupdate: Server ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG is not registered with
> our KDC:  Miscellaneous failure (see text): Server (ldap/
> DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG) unknown
> 
> When tested with kinit it works fine though, so I suppose it is a problem
> for a later time.

All this implies that a number of searches we rely on are not working
yet.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz