[Samba] login via Samba 4 LDAP

steve steve at steve-ss.com
Fri Dec 30 05:21:49 MST 2011


On 30/12/11 13:09, steve wrote:
> On 30/12/11 09:38, steve wrote:
>> On 29/12/11 19:14, Gémes Géza wrote:
>>> 2011-12-29 12:56 keltezéssel, steve írta:
>>>> On 29/12/11 11:58, Gémes Géza wrote:
>>>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>>>> On 29/12/11 10:00, steve wrote:
>>>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>>>>> for it
>>>>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>>>>> nss-ldap
>>>>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>>>>> allowed
>>>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>>>> ldapsearch -x)
>>>>>>>> LDAP works with an anonymous bind. You need the Kerberos keytab 
>>>>>>>> for
>>>>>>>> authentication though.
>>>>>>>>
>>>>>>> steve at hh3:~>   ldapsearch -x
>>>>>>> # extended LDIF
>>>>>>> #
>>>>>>> # LDAPv3
>>>>>>> # base<DC=hh3,DC=site>   (default) with scope subtree
>>>>>>> # filter: (objectclass=*)
>>>>>>> # requesting: ALL
>>>>>>> #
>>>>>>>
>>>>>>> # search result
>>>>>>> search: 2
>>>>>>> result: 1 Operations error
>>>>>>> text: 00002020: Operation unavailable without authentication
>>>>>>>
>>>>>>> # numResponses: 1
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I found this usage:
>>>>>>>
>>>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>>>
>>>>>>> How can I find my PATH_TO_KEYTAB
>>>>>>> ?
>>>>>>> Thanks
>>>>>> Can't get the syntax right:
>>>>>>
>>>>>>    samba-tool domain exportkeytab  /var/lib/named/master --principal
>>>>>>
>>>>>> Usage: samba-tool domain exportkeytab<keytab>   [options]
>>>>>>
>>>>>> samba-tool domain exportkeytab: error: --principal option 
>>>>>> requires an
>>>>>> argument
>>>>>>
>>>>> samba-tool domain exportkeytab
>>>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract 
>>>>>
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza
>>>> Tried:
>>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>>>
>>>> restarted samba but:
>>>>
>>>> su steve4
>>>> su: user steve4 does not exist
>>>>
>>>> Am I getting close or should I give up now?!
>>>>
>>>> Steve
>>>>
>>>>
>>>>
>>> You still need to configure nss-ldap to do a kerberized bind.
>>> I've found example configurations for nslcd (the daemon part of
>>> nss-ldapd a fork of nss-ldap) at:
>>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>>> http://ubuntuforums.org/archive/index.php/t-1335022.html
>>>
>>> Regards
>>>
>>> Geza
>> phew. That's a biggie.
>>
>> I have nslcd installed. I've looked at the links and it seems as 
>> though I need this in /etc/nslcd.conf
>>
>> uri ldap://127.0.0.1/
>> base dc=hh3,dc=site
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> krb5_ccname /dont/know
>>
>> It's the krb5_ccname I can't get.
>>
>> I have:
>>  klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: steve4 at HH3.SITE
>>
>> Valid starting     Expires            Service principal
>> 12/30/11 09:27:15  12/30/11 19:27:15  krbtgt/HH3.SITE at HH3.SITE
>>     renew until 12/31/11 09:27:12
>>
>> The link you gave suggests:
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
>> But doesn't say where that came from.
>>
>> Any ideas?
>>
>> Saludos
>> Steve
>>
>>
>>
>>
>>
> Well, using nslcd, I have finally got through to the Samba 4 LDAP (
>
> getent passwd works and steve4 can finally login
>
> The next bit is this:
>
> getent passwd does not show the home directory:
> steve4:x:3000019:100:steve4::/bin/bash
>
> even though I can see it in the ldap ldif
>
> steve4 gets logged into / but changing to /home/CACTUS/steve4 allows 
> him to create and edit files correctly and with the correct permissions.
>
> Any ideas?
> Thanks
> Steve.
>
Found it:

map    passwd homeDirectory    unixHomeDirectory

so /etc/nslcd.conf looks like this:

uri ldap://127.0.0.1/
base dc=hh3,dc=site
map    passwd homeDirectory    unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0

Cheers,
Steve



More information about the samba mailing list