[Samba] Samba 4 kerberos and kinit

steve steve at steve-ss.com
Thu Jan 12 03:16:00 MST 2012 

On 12/01/12 08:49, Andrew Bartlett wrote:
> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>> 2012-01-11 23:48 keltezéssel, steve írta:
>>> Hi
>>> After starting Samba 4, before anyone can do anything, Administrator
>>> has to do a kinit to get a new ticket. This creates a cache
>>> /tmp/krb5cc_0 with an expiry time.
>>>
>>> I've created a host principal and put it into the keytab:
>>> samba-tool spn add host someuser
>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>>>
>>> How can I keep Samba 4 up without having to get a new Administrator
>>> ticket every 10 hours?
>>>
>>> Thanks,
>>> Steve
>>>
>>>
>> That looks really strange.
> Indeed.  Samba does not require a valid ticket in /tmp/krb5cc_0 to
> operate.  It creates it's own internal credentials cache when required
> using the machine account password.
>
> Something else is going on here.
>
> Andrew Bartlett
>
Hi
Yes, I'm sorry. There is something else. I was trying to keep the post 
short.

I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux 
users using nslcd so that when they login and be placed in heir /home 
directory, have the correct uid:gid etc.

grep -v "#" /etc/nslcd.conf
uid root
gid root
uri ldap://127.0.0.1/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw AbcD at 123
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    shadow uid              sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0

Without /tmp/krb5cc_0, getent passwd does not work and Linux users are 
not mapped to their /home directory, shell etc.

My full method is here:
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html

You mention that Samba 4 creates it's cache as needed. Could you tell me 
if that is a file I could access? At the moment, nslcd looks at 
/tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line which 
could point to another cache file. I had and still have, that line 
commented out to see what the default was.

Thanks so much for your patience.
Steve.

More information about the samba mailing list