[Samba] login via Samba 4 LDAP
steve
steve at steve-ss.com
Thu Dec 29 04:52:03 MST 2011
On 29/12/11 11:58, Gémes Géza wrote:
> 2011-12-29 10:11 keltezéssel, steve írta:
>> On 29/12/11 10:00, steve wrote:
>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>> for it
>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>> nss-ldap
>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>> allowed
>>>>> to bind anonymously to your AD server (you can try with ldapsearch -x)
>>>> LDAP works with an anonymous bind. You need the Kerberos keytab for
>>>> authentication though.
>>>>
>>> steve at hh3:~> ldapsearch -x
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base<DC=hh3,DC=site> (default) with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 1 Operations error
>>> text: 00002020: Operation unavailable without authentication
>>>
>>> # numResponses: 1
>>>
>>>
>>>
>>> I found this usage:
>>>
>>> samba-tool export keytab PATH_TO_KEYTAB
>>>
>>> How can I find my PATH_TO_KEYTAB
>>> ?
>>> Thanks
>> Can't get the syntax right:
>>
>> samba-tool domain exportkeytab /var/lib/named/master --principal
>>
>> Usage: samba-tool domain exportkeytab<keytab> [options]
>>
>> samba-tool domain exportkeytab: error: --principal option requires an
>> argument
>>
> samba-tool domain exportkeytab
> /path/to/the/keytab/file/you/want/to/create/or/update
> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>
> Regards
>
> Geza
OK
Got as far as this:
samba-tool domain exportkeytab /your/key.tab --principal=SERVICE/host at realm
so I used:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=DNS/HH3.SITE
But that's not the SERVICE I need I don't think.
THanks
Steve
More information about the samba
mailing list