[Samba] Samba 4 kerberos and kinit

Michael Wood esiotrot at gmail.com
Sun Jan 15 14:26:09 MST 2012

Sorry, forgot to copy the list.

On 15 January 2012 18:32, steve <steve at steve-ss.com> wrote:
> On 01/15/2012 04:04 PM, Michael Wood wrote:
>> On 14 January 2012 12:52, steve<steve at steve-ss.com>  wrote:
>>> On 14/01/12 03:19, Michael Wood wrote:
>>>> On 14 January 2012 01:24, steve<steve at steve-ss.com>    wrote:
>> [...]
>>>>> drwxr-xr-x 118 root root  12288 Jan 13 23:55 etc
>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>>> That's fine, but is that what nslcd is using?
>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate
>>> user,
>>> so I created a user and group for nslcd and specified them in nslcd.conf.
>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>>> that correct? (can't test it as am not by the DC at the moment)
>> Sounds likely.
>> So you probably need to export a keytab for your nslcd principal to a
>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
>> has permission to read it.  No other user should have read access.
> The problem is that I can't have a principal for nslcd. IOW I can't do this:
> samba-tool spn add nslcd some-user

I must admit that I don't know why you can't do something like this:

# samba-tool user create nslcd-user --random-password
User 'nslcd-user' created successfully
# samba-tool spn add nslcd/hh3.hh3.site nslcd-user
# samba-tool spn list nslcd-user
User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
# ls -l nslcd.keytab
-rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab

If that works, try getting nslcd to use it.

> I could do this
> samba-tool spn add host someuser
> but already have a host principal added to the main keytab.
> I keep coming back to this. I can have a principal for host and I can have a
> principal for nfs but I can't have a principal for nslcd. Even tough

Why if you can do it for NFS, why not for nslcd?

> /etc/nslcd.conf allows me to add a kerberos realm, is that good enough?

Well, either it will need to have the password hard coded in the
config file like you have it at the moment, I believe, or it will need
a ticket to access the directory.

> Anyway, I've a 10 hour experiment in progress as on the other thread.
> Fingers crossed!

Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list