[Samba] login via Samba 4 LDAP

steve steve at steve-ss.com
Fri Dec 30 01:38:55 MST 2011 

On 29/12/11 19:14, Gémes Géza wrote:
> 2011-12-29 12:56 keltezéssel, steve írta:
>> On 29/12/11 11:58, Gémes Géza wrote:
>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>> On 29/12/11 10:00, steve wrote:
>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>>> for it
>>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>>> nss-ldap
>>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>>> allowed
>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>> ldapsearch -x)
>>>>>> LDAP works with an anonymous bind. You need the Kerberos keytab for
>>>>>> authentication though.
>>>>>>
>>>>> steve at hh3:~>   ldapsearch -x
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base<DC=hh3,DC=site>   (default) with scope subtree
>>>>> # filter: (objectclass=*)
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 1 Operations error
>>>>> text: 00002020: Operation unavailable without authentication
>>>>>
>>>>> # numResponses: 1
>>>>>
>>>>>
>>>>>
>>>>> I found this usage:
>>>>>
>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>
>>>>> How can I find my PATH_TO_KEYTAB
>>>>> ?
>>>>> Thanks
>>>> Can't get the syntax right:
>>>>
>>>>    samba-tool domain exportkeytab  /var/lib/named/master --principal
>>>>
>>>> Usage: samba-tool domain exportkeytab<keytab>   [options]
>>>>
>>>> samba-tool domain exportkeytab: error: --principal option requires an
>>>> argument
>>>>
>>> samba-tool domain exportkeytab
>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>>>
>>>
>>> Regards
>>>
>>> Geza
>> Tried:
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>
>> restarted samba but:
>>
>> su steve4
>> su: user steve4 does not exist
>>
>> Am I getting close or should I give up now?!
>>
>> Steve
>>
>>
>>
> You still need to configure nss-ldap to do a kerberized bind.
> I've found example configurations for nslcd (the daemon part of
> nss-ldapd a fork of nss-ldap) at:
> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
> http://ubuntuforums.org/archive/index.php/t-1335022.html
>
> Regards
>
> Geza
phew. That's a biggie.

I have nslcd installed. I've looked at the links and it seems as though 
I need this in /etc/nslcd.conf

uri ldap://127.0.0.1/
base dc=hh3,dc=site
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /dont/know

It's the krb5_ccname I can't get.

I have:
  klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: steve4 at HH3.SITE

Valid starting     Expires            Service principal
12/30/11 09:27:15  12/30/11 19:27:15  krbtgt/HH3.SITE at HH3.SITE
     renew until 12/31/11 09:27:12

The link you gave suggests:

krb5_ccname /var/run/nslcd/nslcd.tkt

But doesn't say where that came from.

Any ideas?

Saludos
Steve

More information about the samba mailing list