[Samba] login via Samba 4 LDAP

steve steve at steve-ss.com
Fri Dec 30 05:09:09 MST 2011 

On 30/12/11 09:38, steve wrote:
> On 29/12/11 19:14, Gémes Géza wrote:
>> 2011-12-29 12:56 keltezéssel, steve írta:
>>> On 29/12/11 11:58, Gémes Géza wrote:
>>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>>> On 29/12/11 10:00, steve wrote:
>>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>>>> for it
>>>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>>>> nss-ldap
>>>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>>>> allowed
>>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>>> ldapsearch -x)
>>>>>>> LDAP works with an anonymous bind. You need the Kerberos keytab for
>>>>>>> authentication though.
>>>>>>>
>>>>>> steve at hh3:~>   ldapsearch -x
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base<DC=hh3,DC=site>   (default) with scope subtree
>>>>>> # filter: (objectclass=*)
>>>>>> # requesting: ALL
>>>>>> #
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 1 Operations error
>>>>>> text: 00002020: Operation unavailable without authentication
>>>>>>
>>>>>> # numResponses: 1
>>>>>>
>>>>>>
>>>>>>
>>>>>> I found this usage:
>>>>>>
>>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>>
>>>>>> How can I find my PATH_TO_KEYTAB
>>>>>> ?
>>>>>> Thanks
>>>>> Can't get the syntax right:
>>>>>
>>>>>    samba-tool domain exportkeytab  /var/lib/named/master --principal
>>>>>
>>>>> Usage: samba-tool domain exportkeytab<keytab>   [options]
>>>>>
>>>>> samba-tool domain exportkeytab: error: --principal option requires an
>>>>> argument
>>>>>
>>>> samba-tool domain exportkeytab
>>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract 
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> Geza
>>> Tried:
>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>>
>>> restarted samba but:
>>>
>>> su steve4
>>> su: user steve4 does not exist
>>>
>>> Am I getting close or should I give up now?!
>>>
>>> Steve
>>>
>>>
>>>
>> You still need to configure nss-ldap to do a kerberized bind.
>> I've found example configurations for nslcd (the daemon part of
>> nss-ldapd a fork of nss-ldap) at:
>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>> http://ubuntuforums.org/archive/index.php/t-1335022.html
>>
>> Regards
>>
>> Geza
> phew. That's a biggie.
>
> I have nslcd installed. I've looked at the links and it seems as 
> though I need this in /etc/nslcd.conf
>
> uri ldap://127.0.0.1/
> base dc=hh3,dc=site
> sasl_mech GSSAPI
> sasl_realm HH3.SITE
> krb5_ccname /dont/know
>
> It's the krb5_ccname I can't get.
>
> I have:
>  klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: steve4 at HH3.SITE
>
> Valid starting     Expires            Service principal
> 12/30/11 09:27:15  12/30/11 19:27:15  krbtgt/HH3.SITE at HH3.SITE
>     renew until 12/31/11 09:27:12
>
> The link you gave suggests:
>
> krb5_ccname /var/run/nslcd/nslcd.tkt
>
> But doesn't say where that came from.
>
> Any ideas?
>
> Saludos
> Steve
>
>
>
>
>
Well, using nslcd, I have finally got through to the Samba 4 LDAP (

getent passwd works and steve4 can finally login

The next bit is this:

getent passwd does not show the home directory:
steve4:x:3000019:100:steve4::/bin/bash

even though I can see it in the ldap ldif

steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him 
to create and edit files correctly and with the correct permissions.

Any ideas?
Thanks
Steve.

More information about the samba mailing list