[Samba] Samba 4 kerberos and kinit
steve
steve at steve-ss.com
Thu Jan 12 19:06:01 MST 2012
On 12/01/12 19:53, Gémes Géza wrote:
> 2012-01-12 11:16 keltezéssel, steve írta:
>> On 12/01/12 08:49, Andrew Bartlett wrote:
>>> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>>>> 2012-01-11 23:48 keltezéssel, steve írta:
>>>>> Hi
>>>>> After starting Samba 4, before anyone can do anything, Administrator
>>>>> has to do a kinit to get a new ticket. This creates a cache
>>>>> /tmp/krb5cc_0 with an expiry time.
>>>>>
>>>>> I've created a host principal and put it into the keytab:
>>>>> samba-tool spn add host someuser
>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>> --principal=host/HH3.SITE
>>>>>
>>>>> How can I keep Samba 4 up without having to get a new Administrator
>>>>> ticket every 10 hours?
>>>>>
>>>>> Thanks,
>>>>> Steve
>>>>>
>>>>>
>>>> That looks really strange.
>>> Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
>>> operate. It creates it's own internal credentials cache when required
>>> using the machine account password.
>>>
>>> Something else is going on here.
>>>
>>> Andrew Bartlett
>>>
>> Hi
>> Yes, I'm sorry. There is something else. I was trying to keep the post
>> short.
>>
>> I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
>> users using nslcd so that when they login and be placed in heir /home
>> directory, have the correct uid:gid etc.
>>
>> grep -v "#" /etc/nslcd.conf
>> uid root
>> gid root
>> uri ldap://127.0.0.1/
>> base dc=hh3,dc=site
>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>> bindpw AbcD at 123
>> map passwd uid sAMAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map shadow uid sAMAccountName
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> #krb5_ccname /tmp/krb5cc_0
>>
>> Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
>> not mapped to their /home directory, shell etc.
>>
>> My full method is here:
>> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
>>
>>
>> You mention that Samba 4 creates it's cache as needed. Could you tell
>> me if that is a file I could access? At the moment, nslcd looks at
>> /tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
>> which could point to another cache file. I had and still have, that
>> line commented out to see what the default was.
>>
>> Thanks so much for your patience.
>> Steve.
>>
> The problem then is not samba related at all. It is nslcd at culprit then?
>
> I would suggest a differently configured nslcd then.
> First create an account named something like:
> accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
> then extract a keytab for it:
> samba-tool domain exportkeytab
> --principal=thepreviouslycreatedprincipalwithatterriblyboringname
> /path/to/the/keytab/file/to/be/created
> Then following some guide like:
> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
> configure nslcd to do kerberized lookup against the Samba4 LDAP service.
>
> Regards
>
> Geza
Hi Geza
How about this:
samba-tool user add boring-nslcd-account
samba tool spn add host boring-nslcd-account
samba-tool samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/HH3.SITE
Then this:
/etc/nslcd.conf
uri ldap://192.168.1.3/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw BCa at 7aBC
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Does that make sense?
Thanks
Steve
More information about the samba
mailing list