[Samba] Samba 4 kerberos and kinit
steve
steve at steve-ss.com
Sun Jan 15 15:59:11 MST 2012
On 01/15/2012 10:23 PM, Michael Wood wrote:
> On 15 January 2012 18:32, steve<steve at steve-ss.com> wrote:
>> On 01/15/2012 04:04 PM, Michael Wood wrote:
>>> On 14 January 2012 12:52, steve<steve at steve-ss.com> wrote:
>>>> On 14/01/12 03:19, Michael Wood wrote:
>>>>> On 14 January 2012 01:24, steve<steve at steve-ss.com> wrote:
>>> [...]
>>>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>>>> That's fine, but is that what nslcd is using?
>>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate
>>>> user,
>>>> so I created a user and group for nslcd and specified them in nslcd.conf.
>>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>>>> that correct? (can't test it as am not by the DC at the moment)
>>> Sounds likely.
>>>
>>> So you probably need to export a keytab for your nslcd principal to a
>>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
>>> has permission to read it. No other user should have read access.
>>>
>> The problem is that I can't have a principal for nslcd. IOW I can't do this:
>> samba-tool spn add nslcd some-user
> I must admit that I don't know why you can't do something like this:
>
> # samba-tool user create nslcd-user --random-password
> User 'nslcd-user' created successfully
> # samba-tool spn add nslcd/hh3.hh3.site nslcd-user
> # samba-tool spn list nslcd-user
> nslcd-user
> User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
> servicePrincipalName:
> nslcd/hh3.hh3.site
> # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
> # ls -l nslcd.keytab
> -rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab
>
> If that works, try getting nslcd to use it.
>
>
Hi Michael. The problem is this:
root at hh3:/home/steve# samba-tool user add nslcd-user
New Password:
User 'nslcd-user' created successfully
root at hh3:/home/steve# samba-tool spn add nslcd nslcd-user
root at hh3:/home/steve# samba-tool domain exportkeytab nslcd.keytab
--principal=nslcd/HH3.SITE
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
root at hh3:/home/steve# samba-tool domain exportkeytab
--principal=nslcd/hh3.hh3.site nslcd.keytab
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
And finally, just for good measure:
root at hh3:/home/steve# samba-tool domain exportkeytab
--principal=nslcd/HH3.SITE nslcd.keytab
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
i.e., unlike host and nfs, nslcd cannot be made made into a principal to
put in a keytab. Do you think that the host principal will take care of
this even though it is in root:root /etc/krb5.keytab and nslcd is
running as nslcd-user?
Anyway, just 4 hours to go to see if the world collapses when steve2's
ticket expires. Meanwhile, he's been creating and editing files on both
win 7 and Linux clients without once being asked for a password. As you
say, fingers crossed. Do I win 10 €uros!
Cheers,
Steve
More information about the samba
mailing list