[Samba] Samba 4 kerberos and kinit

Gémes Géza geza at kzsdabas.hu
Thu Jan 12 11:53:31 MST 2012 

2012-01-12 11:16 keltezéssel, steve írta:
> On 12/01/12 08:49, Andrew Bartlett wrote:
>> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>>> 2012-01-11 23:48 keltezéssel, steve írta:
>>>> Hi
>>>> After starting Samba 4, before anyone can do anything, Administrator
>>>> has to do a kinit to get a new ticket. This creates a cache
>>>> /tmp/krb5cc_0 with an expiry time.
>>>>
>>>> I've created a host principal and put it into the keytab:
>>>> samba-tool spn add host someuser
>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>> --principal=host/HH3.SITE
>>>>
>>>> How can I keep Samba 4 up without having to get a new Administrator
>>>> ticket every 10 hours?
>>>>
>>>> Thanks,
>>>> Steve
>>>>
>>>>
>>> That looks really strange.
>> Indeed.  Samba does not require a valid ticket in /tmp/krb5cc_0 to
>> operate.  It creates it's own internal credentials cache when required
>> using the machine account password.
>>
>> Something else is going on here.
>>
>> Andrew Bartlett
>>
> Hi
> Yes, I'm sorry. There is something else. I was trying to keep the post
> short.
>
> I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
> users using nslcd so that when they login and be placed in heir /home
> directory, have the correct uid:gid etc.
>
> grep -v "#" /etc/nslcd.conf
> uid root
> gid root
> uri ldap://127.0.0.1/
> base dc=hh3,dc=site
> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
> bindpw AbcD at 123
> map    passwd uid              sAMAccountName
> map    passwd homeDirectory    unixHomeDirectory
> map    shadow uid              sAMAccountName
> sasl_mech GSSAPI
> sasl_realm HH3.SITE
> #krb5_ccname /tmp/krb5cc_0
>
> Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
> not mapped to their /home directory, shell etc.
>
> My full method is here:
> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
>
>
> You mention that Samba 4 creates it's cache as needed. Could you tell
> me if that is a file I could access? At the moment, nslcd looks at
> /tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
> which could point to another cache file. I had and still have, that
> line commented out to see what the default was.
>
> Thanks so much for your patience.
> Steve.
>
The problem then is not samba related at all. It is nslcd at culprit then?

I would suggest a differently configured nslcd then.
First create an account named something like:
accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
then extract a keytab for it:
samba-tool domain exportkeytab
--principal=thepreviouslycreatedprincipalwithatterriblyboringname
/path/to/the/keytab/file/to/be/created
Then following some guide like:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
configure nslcd to do kerberized lookup against the Samba4 LDAP service.

Regards

Geza

More information about the samba mailing list