[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Tue Jan 17 08:10:25 MST 2012

Hi everyone

I'm trying to use kerberos to authenticate to Samba 4 ldap. At the 
moment, I authenticate by specifying the binddn and password in 
/etc/nslcd.conf and all works fine

If I add the line:
sasl_mech GSSAPI
to /etc/nslcd.conf
and restart nslcd, no one can connect to the database. Nothing works. 
ldapsearch and getent passwd draw a blank.

ldapsearch -x -b '' -sbase supportedSASLMechanisms

gives me:

supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM

but ldapsearch -Y GSSAPI gives:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Server not found in Kerberos database)

and Samba gives:
Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4: for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server 
ldap/hh3.site at HH3.SITE that was not found
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:

I've tried making a ldap principal but samba-tool spn doesn't let me add 
an ldap principal.
Any ideas anyone?


More information about the samba mailing list