[Samba] Samba 4 ldb_wrap open of idmap.ldb

steve steve at steve-ss.com
Sun Jan 15 09:20:16 MST 2012 

On 01/15/2012 04:17 PM, Michael Wood wrote:
> Hi
>
> On 15 January 2012 15:49, steve<steve at steve-ss.com>  wrote:
>> Hi everyone
>> Version 4.0.0alpha18-GIT-bfc7481
>>
>> I'm using nslcd to map Samba 4 users to uid:gid and home directory. At
>> startup I get this:
>>
>> ldb_wrap open of secrets.ldb
>> WARNING: no socket to connect to
>>
>> and /var/log/messages shows:
>>
>> Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server
>> ldap://h
>> h3.site/: Can't contact LDAP server: Transport endpoint is not connected
>> Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found,
>> sleepi
>> ng 1 seconds
> [...]
>
> I don't know why the above happens, but...:
>
>> cat /etc/nslcd.conf
> [...]
>> # The user and group nslcd should run as.
>> #uid nslcd
>> #gid nslcd
>> uid nslcd-user
>> gid nslcd-user
> Just a guess, but this might cause a problem.  I believe you created a
> Samba user called nslcd-user and it looks like this is what you're
> trying to use here.  (Also, AD does not support using the same name
> for a user and a group, I believe.)
>
> So before nslcd starts fully it would need to look up those values,
> but in order to do that it needs to talk to Samba.  It seems to me
> that this might be problematic.  Maybe you should use a local Linux
> user for running nslcd and just use the Samba nslcd-user account for
> nslcd's authentication to Samba.
OK. I think you're correct there. I've deleted the Samba 4 user 
nslcd-user and created a host principal instead (you can't create a 
principal for just nslcd, but I thought that as it's running on the host 
then, well. . .):

samba-tool user add host-account
samba-tool spn add host host account
samba-tool domain exportkeytab /etc/krb5.keytab --principal=/host/HH3.SITE

gives me the following keytab:
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 HH3$@HH3.SITE
    1 HH3$@HH3.SITE
    1 HH3$@HH3.SITE
    1 Administrator at HH3.SITE
    1 Administrator at HH3.SITE
    1 Administrator at HH3.SITE
    1 host-account at HH3.SITE
    1 host-account at HH3.SITE
    1 host-account at HH3.SITE
    1 dns-hh3 at HH3.SITE
    1 dns-hh3 at HH3.SITE
    1 dns-hh3 at HH3.SITE
    1 krbtgt at HH3.SITE
    1 krbtgt at HH3.SITE
    1 krbtgt at HH3.SITE
    1 steve2 at HH3.SITE
    1 steve2 at HH3.SITE
    1 steve2 at HH3.SITE
    1 host/HH3.SITE at HH3.SITE
    1 host/HH3.SITE at HH3.SITE
    1 host/HH3.SITE at HH3.SITE
>> # The distinguished name to bind to the server with.
>> # Optional: default is to bind anonymously.
>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
> I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here.
>
>> # The credentials to bind with.
>> # Optional: default is no credentials.
>> # Note that if you set a bindpw you should check the permissions of this
>> file.
>> bindpw 1234 at Abc
> I think if your Kerberos config is working correctly this should not
> be necessary.
It seems as though the Samba 4 LDAP needs authentication. Without the 
binddn and password I get:
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user []\[]@[(null)]
auth_check_password_send: mapped user is: []\[]@[(null)]

and getent passwd fails to show the Samba 4 users. With the binddn and 
passwd:

ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user 
[CACTUS]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [CACTUS]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop: 
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

getent springs to life and all is well.
>> #sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> #krb5_ccname /tmp/krb5cc_0
> Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's
> SPN to it and making sure nslcd can read it.
That seems impossible to do. But I'll return here if what I've done so 
far doesn't work. I think this comes down to the differences between 
kerberos user accounts, with passwords, and kerberos machine accounts 
without passwords but with principals instead. Does that make sense?

All seems well. steve2 can login both here on the server, on an openSUSE 
client and on a win 7 client, so he must have a ticket somewhere. klist 
gives:
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
so the tickets must be stored internally somewhere or maybe somewhere in 
Australia;)

After
kinit steve2
Password for steve2 at HH3.SITE:
Warning: Your password will expire in 40 days on Fri Feb 24 18:37:06 2012

and
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: steve2 at HH3.SITE

Valid starting     Expires            Service principal
01/15/12 16:58:00  01/16/12 02:58:00  krbtgt/HH3.SITE at HH3.SITE
     renew until 01/16/12 16:57:54
It looks as though steve2 is good for 10 hours. What is the significance 
of Default principal? Surely, if I have created a host principal then I 
want that to be the default principal. Otherwise, everything will 
collape in 10 hours unless steve2 gets another ticket!

My next question is, will the host principal keep nslcd alive beyond 
then? The other bit is that I created the keytab on the Linux client using
net ads keytab create
after
net ads join
with a minimalist smb.conf containing just domain=, security= and realm=

I wonder if that's enough to keep nslcd up on the client too after 
steve2's ticket has expired.

Ahhggh. My brain hurts!
Thanks for your patience Michael.

More information about the samba mailing list