[Samba] login via Samba 4 LDAP
steve
steve at steve-ss.com
Fri Dec 30 01:38:55 MST 2011
On 29/12/11 19:14, Gémes Géza wrote:
> 2011-12-29 12:56 keltezéssel, steve írta:
>> On 29/12/11 11:58, Gémes Géza wrote:
>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>> On 29/12/11 10:00, steve wrote:
>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>>> for it
>>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>>> nss-ldap
>>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>>> allowed
>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>> ldapsearch -x)
>>>>>> LDAP works with an anonymous bind. You need the Kerberos keytab for
>>>>>> authentication though.
>>>>>>
>>>>> steve at hh3:~> ldapsearch -x
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base<DC=hh3,DC=site> (default) with scope subtree
>>>>> # filter: (objectclass=*)
>>>>> # requesting: ALL
>>>>> #
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 1 Operations error
>>>>> text: 00002020: Operation unavailable without authentication
>>>>>
>>>>> # numResponses: 1
>>>>>
>>>>>
>>>>>
>>>>> I found this usage:
>>>>>
>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>
>>>>> How can I find my PATH_TO_KEYTAB
>>>>> ?
>>>>> Thanks
>>>> Can't get the syntax right:
>>>>
>>>> samba-tool domain exportkeytab /var/lib/named/master --principal
>>>>
>>>> Usage: samba-tool domain exportkeytab<keytab> [options]
>>>>
>>>> samba-tool domain exportkeytab: error: --principal option requires an
>>>> argument
>>>>
>>> samba-tool domain exportkeytab
>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>>>
>>>
>>> Regards
>>>
>>> Geza
>> Tried:
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>
>> restarted samba but:
>>
>> su steve4
>> su: user steve4 does not exist
>>
>> Am I getting close or should I give up now?!
>>
>> Steve
>>
>>
>>
> You still need to configure nss-ldap to do a kerberized bind.
> I've found example configurations for nslcd (the daemon part of
> nss-ldapd a fork of nss-ldap) at:
> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
> http://ubuntuforums.org/archive/index.php/t-1335022.html
>
> Regards
>
> Geza
phew. That's a biggie.
I have nslcd installed. I've looked at the links and it seems as though
I need this in /etc/nslcd.conf
uri ldap://127.0.0.1/
base dc=hh3,dc=site
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /dont/know
It's the krb5_ccname I can't get.
I have:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: steve4 at HH3.SITE
Valid starting Expires Service principal
12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/HH3.SITE at HH3.SITE
renew until 12/31/11 09:27:12
The link you gave suggests:
krb5_ccname /var/run/nslcd/nslcd.tkt
But doesn't say where that came from.
Any ideas?
Saludos
Steve
More information about the samba
mailing list