[Samba] Samba 4 and GSSAPI kerberos ldap connect

Gémes Géza geza at kzsdabas.hu
Tue Jan 17 13:40:20 MST 2012


See comments inline:
> Hi everyone
> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
> moment, I authenticate by specifying the binddn and password in
> /etc/nslcd.conf and all works fine
> If I add the line:
> sasl_mech GSSAPI
That should suffice, but please note, that nslcd should also have access
to some kind of keytab, to authenticate itself.
This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
looking like):

# Defaults for nslcd init script

# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.

# Options for k5start.
K5START_PRINCIPAL="host/$(hostname -f)"

And must have k5start installed (it is wrapper which keeps fresh tickets
for long runing services)
> to /etc/nslcd.conf
> and restart nslcd, no one can connect to the database. Nothing works.
> ldapsearch and getent passwd draw a blank.
> ldapsearch -x -b '' -sbase supportedSASLMechanisms
> gives me:
> dn:
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: NTLM
> but ldapsearch -Y GSSAPI gives:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>     additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure.  Minor code may provide more information
> (Server not found in Kerberos database)
before you can do an SASL/GSSAPI based ldap operation you must have
valid kerberos tickets (so do a kinit first)!
> and Samba gives:
> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:
> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
> Kerberos: Searching referral for hh3.site
> Kerberos: Returning a referral to realm SITE for server
> ldap/hh3.site at HH3.SITE that was not found
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:
> I've tried making a ldap principal but samba-tool spn doesn't let me
> add an ldap principal.
> Any ideas anyone?
> Thanks,
> Steve


More information about the samba mailing list