[Samba] login via Samba 4 LDAP

steve steve at steve-ss.com
Sat Dec 31 08:14:39 MST 2011 

On 31/12/11 12:48, Gémes Géza wrote:
> 2011-12-30 13:21 keltezéssel, steve írta:
>> On 30/12/11 13:09, steve wrote:
>>> On 30/12/11 09:38, steve wrote:
>>>> On 29/12/11 19:14, Gémes Géza wrote:
>>>>> 2011-12-29 12:56 keltezéssel, steve írta:
>>>>>> On 29/12/11 11:58, Gémes Géza wrote:
>>>>>>> 2011-12-29 10:11 keltezéssel, steve írta:
>>>>>>>> On 29/12/11 10:00, steve wrote:
>>>>>>>>> On 28/12/11 21:59, Bernd Markgraf wrote:
>>>>>>>>>>> You should create a user in AD for nss-ldap and extract a keytab
>>>>>>>>>>> for it
>>>>>>>>>>> (samba-tool domain exportkeytab --principal=....) and configure
>>>>>>>>>>> nss-ldap
>>>>>>>>>>> to use that keytab for authenticating. Most probably you aren't
>>>>>>>>>>> allowed
>>>>>>>>>>> to bind anonymously to your AD server (you can try with
>>>>>>>>>>> ldapsearch -x)
>>>>>>>>>> LDAP works with an anonymous bind. You need the Kerberos
>>>>>>>>>> keytab for
>>>>>>>>>> authentication though.
>>>>>>>>>>
>>>>>>>>> steve at hh3:~>    ldapsearch -x
>>>>>>>>> # extended LDIF
>>>>>>>>> #
>>>>>>>>> # LDAPv3
>>>>>>>>> # base<DC=hh3,DC=site>    (default) with scope subtree
>>>>>>>>> # filter: (objectclass=*)
>>>>>>>>> # requesting: ALL
>>>>>>>>> #
>>>>>>>>>
>>>>>>>>> # search result
>>>>>>>>> search: 2
>>>>>>>>> result: 1 Operations error
>>>>>>>>> text: 00002020: Operation unavailable without authentication
>>>>>>>>>
>>>>>>>>> # numResponses: 1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I found this usage:
>>>>>>>>>
>>>>>>>>> samba-tool export keytab PATH_TO_KEYTAB
>>>>>>>>>
>>>>>>>>> How can I find my PATH_TO_KEYTAB
>>>>>>>>> ?
>>>>>>>>> Thanks
>>>>>>>> Can't get the syntax right:
>>>>>>>>
>>>>>>>>     samba-tool domain exportkeytab  /var/lib/named/master
>>>>>>>> --principal
>>>>>>>>
>>>>>>>> Usage: samba-tool domain exportkeytab<keytab>    [options]
>>>>>>>>
>>>>>>>> samba-tool domain exportkeytab: error: --principal option
>>>>>>>> requires an
>>>>>>>> argument
>>>>>>>>
>>>>>>> samba-tool domain exportkeytab
>>>>>>> /path/to/the/keytab/file/you/want/to/create/or/update
>>>>>>> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Geza
>>>>>> Tried:
>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
>>>>>>
>>>>>> restarted samba but:
>>>>>>
>>>>>> su steve4
>>>>>> su: user steve4 does not exist
>>>>>>
>>>>>> Am I getting close or should I give up now?!
>>>>>>
>>>>>> Steve
>>>>>>
>>>>>>
>>>>>>
>>>>> You still need to configure nss-ldap to do a kerberized bind.
>>>>> I've found example configurations for nslcd (the daemon part of
>>>>> nss-ldapd a fork of nss-ldap) at:
>>>>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>>>>> http://ubuntuforums.org/archive/index.php/t-1335022.html
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza
>>>> phew. That's a biggie.
>>>>
>>>> I have nslcd installed. I've looked at the links and it seems as
>>>> though I need this in /etc/nslcd.conf
>>>>
>>>> uri ldap://127.0.0.1/
>>>> base dc=hh3,dc=site
>>>> sasl_mech GSSAPI
>>>> sasl_realm HH3.SITE
>>>> krb5_ccname /dont/know
>>>>
>>>> It's the krb5_ccname I can't get.
>>>>
>>>> I have:
>>>>   klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: steve4 at HH3.SITE
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 12/30/11 09:27:15  12/30/11 19:27:15  krbtgt/HH3.SITE at HH3.SITE
>>>>      renew until 12/31/11 09:27:12
>>>>
>>>> The link you gave suggests:
>>>>
>>>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>>>
>>>> But doesn't say where that came from.
>>>>
>>>> Any ideas?
>>>>
>>>> Saludos
>>>> Steve
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Well, using nslcd, I have finally got through to the Samba 4 LDAP (
>>>
>>> getent passwd works and steve4 can finally login
>>>
>>> The next bit is this:
>>>
>>> getent passwd does not show the home directory:
>>> steve4:x:3000019:100:steve4::/bin/bash
>>>
>>> even though I can see it in the ldap ldif
>>>
>>> steve4 gets logged into / but changing to /home/CACTUS/steve4 allows
>>> him to create and edit files correctly and with the correct permissions.
>>>
>>> Any ideas?
>>> Thanks
>>> Steve.
>>>
>> Found it:
>>
>> map    passwd homeDirectory    unixHomeDirectory
>>
>> so /etc/nslcd.conf looks like this:
>>
>> uri ldap://127.0.0.1/
>> base dc=hh3,dc=site
>> map    passwd homeDirectory    unixHomeDirectory
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> krb5_ccname /tmp/krb5cc_0
>>
>> Cheers,
>> Steve
>>
> Hi,
>
> I'm glad it works now
> Sorry for the late answer yesterday my ISPs (I have two just to be sure)
> both decided at the same time to redo the routing of their networks ==>
> got off-line for most of the day :-(.
>
> Happy New Year!
>
> Regards
>
> Geza
Hi Geza
Nearly works. Getent passwd works and su user works from root but the 
user can't login unless he's in a root shell. I think this has something 
to do with pam. I had it working fine this morning until I disabled the 
ldap client in opensuse having thought that it would be affecting the 
process. Now no logins apart from in a root shell. I played around with 
some pam libraries a few weeks ago:

Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting
Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections
Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service 
Daemon..done
Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0
Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR 
steve2, Authentication failure
Dec 31 16:10:17 hh3 systemd[1]: getty at tty1.service holdoff time over, 
scheduling restart.
Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search 
LDAP server - Server is unavailable
Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to 
LDAP server (sleeping 4 seconds)...
Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting to 
LDAP server (sleeping 8 seconds)...
Dec 31 16:10:39 hh3 polkitd(authority=local): nss_ldap: reconnecting to 
LDAP server (sleeping 16 seconds)...
Dec 31 16:10:55 hh3 polkitd(authority=local): nss_ldap: reconnecting to 
LDAP server (sleeping 32 seconds)...
Dec 31 16:11:20 hh3 su: FAILED SU (to steve5) steve on /dev/pts/0
Dec 31 16:11:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to 
LDAP server (sleeping 64 seconds)...

Am so close on this I feel.
Any ideas where to look?

Que nos traigan suerte las uvas!!
Feliz 2012
Steve

More information about the samba mailing list