[Samba] login via Samba 4 LDAP

Gémes Géza geza at kzsdabas.hu
Sat Dec 31 04:48:28 MST 2011


2011-12-30 13:21 keltezéssel, steve írta:
> On 30/12/11 13:09, steve wrote:
>> On 30/12/11 09:38, steve wrote:
>>> On 29/12/11 19:14, Gémes Géza wrote:
>>>> 2011-12-29 12:56 keltezéssel, steve írta:
>>>>> On 29/12/11 11:58, Gémes Géza wrote:
>>>>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>>>>> On 29/12/11 10:00, steve wrote:
>>>>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>>>>>> for it
>>>>>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>>>>>> nss-ldap
>>>>>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>>>>>> allowed
>>>>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>>>>> ldapsearch -x)
>>>>>>>>> LDAP works with an anonymous bind. You need the Kerberos
>>>>>>>>> keytab for
>>>>>>>>> authentication though.
>>>>>>>>>
>>>>>>>> steve at hh3:~>   ldapsearch -x
>>>>>>>> # extended LDIF
>>>>>>>> #
>>>>>>>> # LDAPv3
>>>>>>>> # base<DC=hh3,DC=site>   (default) with scope subtree
>>>>>>>> # filter: (objectclass=*)
>>>>>>>> # requesting: ALL
>>>>>>>> #
>>>>>>>>
>>>>>>>> # search result
>>>>>>>> search: 2
>>>>>>>> result: 1 Operations error
>>>>>>>> text: 00002020: Operation unavailable without authentication
>>>>>>>>
>>>>>>>> # numResponses: 1
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I found this usage:
>>>>>>>>
>>>>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>>>>
>>>>>>>> How can I find my PATH_TO_KEYTAB
>>>>>>>> ?
>>>>>>>> Thanks
>>>>>>> Can't get the syntax right:
>>>>>>>
>>>>>>>    samba-tool domain exportkeytab  /var/lib/named/master
>>>>>>> --principal
>>>>>>>
>>>>>>> Usage: samba-tool domain exportkeytab<keytab>   [options]
>>>>>>>
>>>>>>> samba-tool domain exportkeytab: error: --principal option
>>>>>>> requires an
>>>>>>> argument
>>>>>>>
>>>>>> samba-tool domain exportkeytab
>>>>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>>>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Geza
>>>>> Tried:
>>>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>>>>
>>>>> restarted samba but:
>>>>>
>>>>> su steve4
>>>>> su: user steve4 does not exist
>>>>>
>>>>> Am I getting close or should I give up now?!
>>>>>
>>>>> Steve
>>>>>
>>>>>
>>>>>
>>>> You still need to configure nss-ldap to do a kerberized bind.
>>>> I've found example configurations for nslcd (the daemon part of
>>>> nss-ldapd a fork of nss-ldap) at:
>>>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>>>> http://ubuntuforums.org/archive/index.php/t-1335022.html
>>>>
>>>> Regards
>>>>
>>>> Geza
>>> phew. That's a biggie.
>>>
>>> I have nslcd installed. I've looked at the links and it seems as
>>> though I need this in /etc/nslcd.conf
>>>
>>> uri ldap://127.0.0.1/
>>> base dc=hh3,dc=site
>>> sasl_mech GSSAPI
>>> sasl_realm HH3.SITE
>>> krb5_ccname /dont/know
>>>
>>> It's the krb5_ccname I can't get.
>>>
>>> I have:
>>>  klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: steve4 at HH3.SITE
>>>
>>> Valid starting     Expires            Service principal
>>> 12/30/11 09:27:15  12/30/11 19:27:15  krbtgt/HH3.SITE at HH3.SITE
>>>     renew until 12/31/11 09:27:12
>>>
>>> The link you gave suggests:
>>>
>>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>>
>>> But doesn't say where that came from.
>>>
>>> Any ideas?
>>>
>>> Saludos
>>> Steve
>>>
>>>
>>>
>>>
>>>
>> Well, using nslcd, I have finally got through to the Samba 4 LDAP (
>>
>> getent passwd works and steve4 can finally login
>>
>> The next bit is this:
>>
>> getent passwd does not show the home directory:
>> steve4:x:3000019:100:steve4::/bin/bash
>>
>> even though I can see it in the ldap ldif
>>
>> steve4 gets logged into / but changing to /home/CACTUS/steve4 allows
>> him to create and edit files correctly and with the correct permissions.
>>
>> Any ideas?
>> Thanks
>> Steve.
>>
> Found it:
>
> map    passwd homeDirectory    unixHomeDirectory
>
> so /etc/nslcd.conf looks like this:
>
> uri ldap://127.0.0.1/
> base dc=hh3,dc=site
> map    passwd homeDirectory    unixHomeDirectory
> sasl_mech GSSAPI
> sasl_realm HH3.SITE
> krb5_ccname /tmp/krb5cc_0
>
> Cheers,
> Steve
>
Hi,

I'm glad it works now
Sorry for the late answer yesterday my ISPs (I have two just to be sure)
both decided at the same time to redo the routing of their networks ==>
got off-line for most of the day :-(.

Happy New Year!

Regards

Geza


More information about the samba mailing list