[Samba] Samba 4 kerberos and kinit
steve
steve at steve-ss.com
Fri Jan 13 05:00:59 MST 2012
On 13/01/12 04:37, steve wrote:
> On 13/01/12 03:06, steve wrote:
>> On 12/01/12 19:53, Gémes Géza wrote:
>>> 2012-01-12 11:16 keltezéssel, steve írta:
>>>> On 12/01/12 08:49, Andrew Bartlett wrote:
>>>>> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>>>>>> 2012-01-11 23:48 keltezéssel, steve írta:
>>>>>>> Hi
>>>>>>> After starting Samba 4, before anyone can do anything,
>>>>>>> Administrator
>>>>>>> has to do a kinit to get a new ticket. This creates a cache
>>>>>>> /tmp/krb5cc_0 with an expiry time.
>>>>>>>
>>>>>>> I've created a host principal and put it into the keytab:
>>>>>>> samba-tool spn add host someuser
>>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>> --principal=host/HH3.SITE
>>>>>>>
>>>>>>> How can I keep Samba 4 up without having to get a new Administrator
>>>>>>> ticket every 10 hours?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>> That looks really strange.
>>>>> Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
>>>>> operate. It creates it's own internal credentials cache when
>>>>> required
>>>>> using the machine account password.
>>>>>
>>>>> Something else is going on here.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> Hi
>>>> Yes, I'm sorry. There is something else. I was trying to keep the post
>>>> short.
>>>>
>>>> I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
>>>> users using nslcd so that when they login and be placed in heir /home
>>>> directory, have the correct uid:gid etc.
>>>>
>>>> grep -v "#" /etc/nslcd.conf
>>>> uid root
>>>> gid root
>>>> uri ldap://127.0.0.1/
>>>> base dc=hh3,dc=site
>>>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>>>> bindpw AbcD at 123
>>>> map passwd uid sAMAccountName
>>>> map passwd homeDirectory unixHomeDirectory
>>>> map shadow uid sAMAccountName
>>>> sasl_mech GSSAPI
>>>> sasl_realm HH3.SITE
>>>> #krb5_ccname /tmp/krb5cc_0
>>>>
>>>> Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
>>>> not mapped to their /home directory, shell etc.
>>>>
>>>> My full method is here:
>>>> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
>>>>
>>>>
>>>>
>>>> You mention that Samba 4 creates it's cache as needed. Could you tell
>>>> me if that is a file I could access? At the moment, nslcd looks at
>>>> /tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
>>>> which could point to another cache file. I had and still have, that
>>>> line commented out to see what the default was.
>>>>
>>>> Thanks so much for your patience.
>>>> Steve.
>>>>
>>> The problem then is not samba related at all. It is nslcd at culprit
>>> then?
>>>
>>> I would suggest a differently configured nslcd then.
>>> First create an account named something like:
>>> accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
>>> then extract a keytab for it:
>>> samba-tool domain exportkeytab
>>> --principal=thepreviouslycreatedprincipalwithatterriblyboringname
>>> /path/to/the/keytab/file/to/be/created
>>> Then following some guide like:
>>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>>> configure nslcd to do kerberized lookup against the Samba4 LDAP
>>> service.
>>>
>>> Regards
>>>
>>> Geza
>> Hi Geza
>> How about this:
>>
>> samba-tool user add boring-nslcd-account
>> samba tool spn add host boring-nslcd-account
>> samba-tool samba-tool domain exportkeytab /etc/krb5.keytab
>> --principal=host/HH3.SITE
>>
>> Then this:
>>
>> /etc/nslcd.conf
>>
>> uri ldap://192.168.1.3/
>> base dc=hh3,dc=site
>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>> bindpw BCa at 7aBC
>> map passwd uid sAMAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map shadow uid sAMAccountName
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> #krb5_ccname /tmp/krb5cc_0
>>
>> Does that make sense?
>> Thanks
>> Steve
> OK
> Disaster. New build from git checkout today.
> klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 HH3$@HH3.SITE
> 1 HH3$@HH3.SITE
> 1 HH3$@HH3.SITE
> 1 Administrator at HH3.SITE
> 1 Administrator at HH3.SITE
> 1 Administrator at HH3.SITE
> 1 nslcd-user at HH3.SITE
> 1 nslcd-user at HH3.SITE
> 1 nslcd-user at HH3.SITE
> 1 dns-hh3 at HH3.SITE
> 1 dns-hh3 at HH3.SITE
> 1 dns-hh3 at HH3.SITE
> 1 krbtgt at HH3.SITE
> 1 krbtgt at HH3.SITE
> 1 krbtgt at HH3.SITE
> 1 steve2 at HH3.SITE
> 1 steve2 at HH3.SITE
> 1 steve2 at HH3.SITE
> 1 host/HH3.SITE at HH3.SITE
> 1 host/HH3.SITE at HH3.SITE
> 1 host/HH3.SITE at HH3.SITE
>
> getent passwd gives:
>
> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:45733
> for krbtgt/SITE at HH3.SITE [renewable]
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:45733
>
> The krbtgt/SITE at HH3.SITE looks bad.
>
> /var/log/messages gives:
>
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server: Transport
> endpoint is not connected
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] no available LDAP server found
> Jan 13 04:30:45 hh3 nslcd[4606]: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Server not found in
> Kerberos database)
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] failed to bind to LDAP
> server ldap://127.0.0.1/: Local error
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] no available LDAP server found
>
> Any ideas here? Where can I start to look? Thanks for your patience.
> Steve
OK
Getting somewhere. I've got rid of the Kerberos: Server not found in
database: krbtgt/SITE at HH3.SITE error.
Now samba 4 is giving me this:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
and /var/log/messages this:
Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache permissions
incorrect)
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
ldap://localhost: Local error
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
Finally got the new git working. Something must have changed since the
last checkout I used because I had to comment out the:
sasl_mech GSSAPI
in /etc/nslcd.conf
I now have this:
grep -v "#" /etc/nslcd.conf
uid nslcd-user
gid nslcd-user
uri ldap://localhost
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw 12345678
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
#sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
I have made a linux user and group called nslcd-user to run nslcd. I
have also made a samba 4 user called nslcd-user and made a host
principal with him and exported that to the keytab. However, I'm back at
the same problem. How do I give the nslcd-user a ticket that nslcd can
use? I can use kinit and get a ticket cache for nslcd-user, but it only
lasts for 10 hours. In the docs you referenced, the guy says:
'I have setup a real user that the daemon will run as, and have given
that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
krb5_ccname /var/run/nslcd/nslcd.tkt
How has the guy 'given that user a valid kerberos tgt'?
IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put in
/var/run/nslcd ?????
Its been a long night!
Cheers
Steve
More information about the samba
mailing list