[Samba] Samba 4 kerberos and kinit

Michael Wood esiotrot at gmail.com
Fri Jan 13 19:19:49 MST 2012


On 14 January 2012 01:24, steve <steve at steve-ss.com> wrote:
> On 13/01/12 23:46, Michael Wood wrote:
>>
>> On 13 January 2012 14:00, steve<steve at steve-ss.com>  wrote:
>> [...]
>>>
>>> OK
>>> Getting somewhere. I've got rid of the Kerberos: Server not found in
>>> database: krbtgt/SITE at HH3.SITE error.
>>>
>>> Now samba 4 is giving me this:
>>>
>>> ldb_wrap open of secrets.ldb
>>> Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
>>> -
>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
>>> -
>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>
>>> and /var/log/messages this:
>>>
>>> Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
>>>  Minor code may provide more information (Credentials cache permissions
>>> incorrect)
>>
>> What are the permissions on /usr/local/samba,
>
> drwxr-xr-x 11 root root 4096 Jan 13 04:48 samba
> drwxr-xr-x  9 root root 4096 Jan 14 00:19 private

OK, although private could probably be a bit tighter.

>>  /usr/local/samba/private
>
>
>> and /usr/local/samba/private/secrets.tdb?
>
> -rw-------  1 root root  1286144 Jan 13 04:51 secrets.ldb

Fine.

>>  And also your keytab and
>> the directory it's in.
>
> drwxr-xr-x 118 root root  12288 Jan 13 23:55 etc
> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab

That's fine, but is that what nslcd is using?

>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
>>> ldap://localhost: Local error
>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
>>>
>>> Finally got the new git working. Something must have changed since the
>>> last
>>> checkout I used because I had to comment out the:
>>>
>>> sasl_mech GSSAPI
>>>
>>> in /etc/nslcd.conf
>>
>> This is probably related the the above error.  i.e. it's refusing to
>> use GSSAPI because you have bad permissions somewhere.
>>
> The perms are above, but it makes me none the wiser. Any ideas what these
> permissions should be? What am I losing bu not using GSSAPI ?
> Thanks
> Steve

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba mailing list