[Samba] Samba 4 kerberos and kinit

steve steve at steve-ss.com
Thu Jan 12 20:37:14 MST 2012


On 13/01/12 03:06, steve wrote:
> On 12/01/12 19:53, Gémes Géza wrote:
>> 2012-01-12 11:16 keltezéssel, steve írta:
>>> On 12/01/12 08:49, Andrew Bartlett wrote:
>>>> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>>>>> 2012-01-11 23:48 keltezéssel, steve írta:
>>>>>> Hi
>>>>>> After starting Samba 4, before anyone can do anything, Administrator
>>>>>> has to do a kinit to get a new ticket. This creates a cache
>>>>>> /tmp/krb5cc_0 with an expiry time.
>>>>>>
>>>>>> I've created a host principal and put it into the keytab:
>>>>>> samba-tool spn add host someuser
>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>> --principal=host/HH3.SITE
>>>>>>
>>>>>> How can I keep Samba 4 up without having to get a new Administrator
>>>>>> ticket every 10 hours?
>>>>>>
>>>>>> Thanks,
>>>>>> Steve
>>>>>>
>>>>>>
>>>>> That looks really strange.
>>>> Indeed.  Samba does not require a valid ticket in /tmp/krb5cc_0 to
>>>> operate.  It creates it's own internal credentials cache when required
>>>> using the machine account password.
>>>>
>>>> Something else is going on here.
>>>>
>>>> Andrew Bartlett
>>>>
>>> Hi
>>> Yes, I'm sorry. There is something else. I was trying to keep the post
>>> short.
>>>
>>> I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
>>> users using nslcd so that when they login and be placed in heir /home
>>> directory, have the correct uid:gid etc.
>>>
>>> grep -v "#" /etc/nslcd.conf
>>> uid root
>>> gid root
>>> uri ldap://127.0.0.1/
>>> base dc=hh3,dc=site
>>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>>> bindpw AbcD at 123
>>> map    passwd uid              sAMAccountName
>>> map    passwd homeDirectory    unixHomeDirectory
>>> map    shadow uid              sAMAccountName
>>> sasl_mech GSSAPI
>>> sasl_realm HH3.SITE
>>> #krb5_ccname /tmp/krb5cc_0
>>>
>>> Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
>>> not mapped to their /home directory, shell etc.
>>>
>>> My full method is here:
>>> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html 
>>>
>>>
>>>
>>> You mention that Samba 4 creates it's cache as needed. Could you tell
>>> me if that is a file I could access? At the moment, nslcd looks at
>>> /tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
>>> which could point to another cache file. I had and still have, that
>>> line commented out to see what the default was.
>>>
>>> Thanks so much for your patience.
>>> Steve.
>>>
>> The problem then is not samba related at all. It is nslcd at culprit 
>> then?
>>
>> I would suggest a differently configured nslcd then.
>> First create an account named something like:
>> accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
>> then extract a keytab for it:
>> samba-tool domain exportkeytab
>> --principal=thepreviouslycreatedprincipalwithatterriblyboringname
>> /path/to/the/keytab/file/to/be/created
>> Then following some guide like:
>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>> configure nslcd to do kerberized lookup against the Samba4 LDAP service.
>>
>> Regards
>>
>> Geza
> Hi Geza
> How about this:
>
> samba-tool user add boring-nslcd-account
> samba tool spn add host boring-nslcd-account
> samba-tool samba-tool domain exportkeytab /etc/krb5.keytab 
> --principal=host/HH3.SITE
>
> Then this:
>
>  /etc/nslcd.conf
>
> uri ldap://192.168.1.3/
> base dc=hh3,dc=site
> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
> bindpw BCa at 7aBC
> map    passwd uid              sAMAccountName
> map    passwd homeDirectory    unixHomeDirectory
> map    shadow uid              sAMAccountName
> sasl_mech GSSAPI
> sasl_realm HH3.SITE
> #krb5_ccname /tmp/krb5cc_0
>
> Does that make sense?
> Thanks
> Steve
OK
Disaster. New build from git checkout today.
  klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 HH3$@HH3.SITE
    1 HH3$@HH3.SITE
    1 HH3$@HH3.SITE
    1 Administrator at HH3.SITE
    1 Administrator at HH3.SITE
    1 Administrator at HH3.SITE
    1 nslcd-user at HH3.SITE
    1 nslcd-user at HH3.SITE
    1 nslcd-user at HH3.SITE
    1 dns-hh3 at HH3.SITE
    1 dns-hh3 at HH3.SITE
    1 dns-hh3 at HH3.SITE
    1 krbtgt at HH3.SITE
    1 krbtgt at HH3.SITE
    1 krbtgt at HH3.SITE
    1 steve2 at HH3.SITE
    1 steve2 at HH3.SITE
    1 steve2 at HH3.SITE
    1 host/HH3.SITE at HH3.SITE
    1 host/HH3.SITE at HH3.SITE
    1 host/HH3.SITE at HH3.SITE

getent passwd gives:

Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:45733 for 
krbtgt/SITE at HH3.SITE [renewable]
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:45733

The krbtgt/SITE at HH3.SITE looks bad.

/var/log/messages gives:

Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] failed to bind to LDAP server 
ldap://127.0.0.1/: Can't contact LDAP server: Transport endpoint is not 
connected
Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] no available LDAP server found
Jan 13 04:30:45 hh3 nslcd[4606]: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Server not found in Kerberos 
database)
Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] failed to bind to LDAP server 
ldap://127.0.0.1/: Local error
Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] no available LDAP server found

Any ideas here? Where can I start to look? Thanks for your patience.
Steve


More information about the samba mailing list