[Samba] Samba 4 kerberos and kinit

steve steve at steve-ss.com
Fri Jan 13 05:00:59 MST 2012


On 13/01/12 04:37, steve wrote:
> On 13/01/12 03:06, steve wrote:
>> On 12/01/12 19:53, Gémes Géza wrote:
>>> 2012-01-12 11:16 keltezéssel, steve írta:
>>>> On 12/01/12 08:49, Andrew Bartlett wrote:
>>>>> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>>>>>> 2012-01-11 23:48 keltezéssel, steve írta:
>>>>>>> Hi
>>>>>>> After starting Samba 4, before anyone can do anything, 
>>>>>>> Administrator
>>>>>>> has to do a kinit to get a new ticket. This creates a cache
>>>>>>> /tmp/krb5cc_0 with an expiry time.
>>>>>>>
>>>>>>> I've created a host principal and put it into the keytab:
>>>>>>> samba-tool spn add host someuser
>>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
>>>>>>> --principal=host/HH3.SITE
>>>>>>>
>>>>>>> How can I keep Samba 4 up without having to get a new Administrator
>>>>>>> ticket every 10 hours?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>> That looks really strange.
>>>>> Indeed.  Samba does not require a valid ticket in /tmp/krb5cc_0 to
>>>>> operate.  It creates it's own internal credentials cache when 
>>>>> required
>>>>> using the machine account password.
>>>>>
>>>>> Something else is going on here.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> Hi
>>>> Yes, I'm sorry. There is something else. I was trying to keep the post
>>>> short.
>>>>
>>>> I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
>>>> users using nslcd so that when they login and be placed in heir /home
>>>> directory, have the correct uid:gid etc.
>>>>
>>>> grep -v "#" /etc/nslcd.conf
>>>> uid root
>>>> gid root
>>>> uri ldap://127.0.0.1/
>>>> base dc=hh3,dc=site
>>>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>>>> bindpw AbcD at 123
>>>> map    passwd uid              sAMAccountName
>>>> map    passwd homeDirectory    unixHomeDirectory
>>>> map    shadow uid              sAMAccountName
>>>> sasl_mech GSSAPI
>>>> sasl_realm HH3.SITE
>>>> #krb5_ccname /tmp/krb5cc_0
>>>>
>>>> Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
>>>> not mapped to their /home directory, shell etc.
>>>>
>>>> My full method is here:
>>>> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html 
>>>>
>>>>
>>>>
>>>> You mention that Samba 4 creates it's cache as needed. Could you tell
>>>> me if that is a file I could access? At the moment, nslcd looks at
>>>> /tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
>>>> which could point to another cache file. I had and still have, that
>>>> line commented out to see what the default was.
>>>>
>>>> Thanks so much for your patience.
>>>> Steve.
>>>>
>>> The problem then is not samba related at all. It is nslcd at culprit 
>>> then?
>>>
>>> I would suggest a differently configured nslcd then.
>>> First create an account named something like:
>>> accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
>>> then extract a keytab for it:
>>> samba-tool domain exportkeytab
>>> --principal=thepreviouslycreatedprincipalwithatterriblyboringname
>>> /path/to/the/keytab/file/to/be/created
>>> Then following some guide like:
>>> http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
>>> configure nslcd to do kerberized lookup against the Samba4 LDAP 
>>> service.
>>>
>>> Regards
>>>
>>> Geza
>> Hi Geza
>> How about this:
>>
>> samba-tool user add boring-nslcd-account
>> samba tool spn add host boring-nslcd-account
>> samba-tool samba-tool domain exportkeytab /etc/krb5.keytab 
>> --principal=host/HH3.SITE
>>
>> Then this:
>>
>>  /etc/nslcd.conf
>>
>> uri ldap://192.168.1.3/
>> base dc=hh3,dc=site
>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>> bindpw BCa at 7aBC
>> map    passwd uid              sAMAccountName
>> map    passwd homeDirectory    unixHomeDirectory
>> map    shadow uid              sAMAccountName
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> #krb5_ccname /tmp/krb5cc_0
>>
>> Does that make sense?
>> Thanks
>> Steve
> OK
> Disaster. New build from git checkout today.
>  klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    1 HH3$@HH3.SITE
>    1 HH3$@HH3.SITE
>    1 HH3$@HH3.SITE
>    1 Administrator at HH3.SITE
>    1 Administrator at HH3.SITE
>    1 Administrator at HH3.SITE
>    1 nslcd-user at HH3.SITE
>    1 nslcd-user at HH3.SITE
>    1 nslcd-user at HH3.SITE
>    1 dns-hh3 at HH3.SITE
>    1 dns-hh3 at HH3.SITE
>    1 dns-hh3 at HH3.SITE
>    1 krbtgt at HH3.SITE
>    1 krbtgt at HH3.SITE
>    1 krbtgt at HH3.SITE
>    1 steve2 at HH3.SITE
>    1 steve2 at HH3.SITE
>    1 steve2 at HH3.SITE
>    1 host/HH3.SITE at HH3.SITE
>    1 host/HH3.SITE at HH3.SITE
>    1 host/HH3.SITE at HH3.SITE
>
> getent passwd gives:
>
> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:45733 
> for krbtgt/SITE at HH3.SITE [renewable]
> Failed find a single entry for 
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): 
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:45733
>
> The krbtgt/SITE at HH3.SITE looks bad.
>
> /var/log/messages gives:
>
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] failed to bind to LDAP 
> server ldap://127.0.0.1/: Can't contact LDAP server: Transport 
> endpoint is not connected
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] no available LDAP server found
> Jan 13 04:30:45 hh3 nslcd[4606]: GSSAPI Error: Unspecified GSS 
> failure.  Minor code may provide more information (Server not found in 
> Kerberos database)
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] failed to bind to LDAP 
> server ldap://127.0.0.1/: Local error
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] no available LDAP server found
>
> Any ideas here? Where can I start to look? Thanks for your patience.
> Steve
OK
Getting somewhere. I've got rid of the Kerberos: Server not found in 
database: krbtgt/SITE at HH3.SITE error.

Now samba 4 is giving me this:

ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() 
- NT_STATUS_CONNECTION_DISCONNECTED]

and /var/log/messages this:

Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Credentials cache permissions 
incorrect)
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server 
ldap://localhost: Local error
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found

Finally got the new git working. Something must have changed since the 
last checkout I used because I had to comment out the:

sasl_mech GSSAPI

in /etc/nslcd.conf

I now have this:
  grep -v "#" /etc/nslcd.conf

uid nslcd-user
gid nslcd-user
uri ldap://localhost
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw 12345678
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    shadow uid              sAMAccountName

#sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0

I have made a linux user and group called nslcd-user to run nslcd. I 
have also made a samba 4 user called nslcd-user and made a host 
principal with him and exported that to the keytab. However, I'm back at 
the same problem. How do I give the nslcd-user a ticket that nslcd can 
use? I can use kinit and get a ticket cache for nslcd-user, but it only 
lasts for 10 hours. In the docs you referenced, the guy says:

'I have setup a real user that the daemon will run as, and have given 
that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf

krb5_ccname /var/run/nslcd/nslcd.tkt

How has the guy 'given that user a valid kerberos tgt'?

IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put in 
/var/run/nslcd ?????

Its been a long night!
Cheers
Steve


More information about the samba mailing list