[Samba] Samba 4 and GSSAPI kerberos ldap connect
Gémes Géza
geza at kzsdabas.hu
Tue Jan 17 13:40:20 MST 2012
Hi,
See comments inline:
> Hi everyone
>
> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
> moment, I authenticate by specifying the binddn and password in
> /etc/nslcd.conf and all works fine
>
> If I add the line:
> sasl_mech GSSAPI
That should suffice, but please note, that nslcd should also have access
to some kind of keytab, to authenticate itself.
This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
looking like):
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host/$(hostname -f)"
And must have k5start installed (it is wrapper which keeps fresh tickets
for long runing services)
> to /etc/nslcd.conf
> and restart nslcd, no one can connect to the database. Nothing works.
> ldapsearch and getent passwd draw a blank.
>
> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>
> gives me:
>
> dn:
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: NTLM
>
> but ldapsearch -Y GSSAPI gives:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Server not found in Kerberos database)
>
before you can do an SASL/GSSAPI based ldap operation you must have
valid kerberos tickets (so do a kinit first)!
> and Samba gives:
> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:56859
> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
> Kerberos: Searching referral for hh3.site
> Kerberos: Returning a referral to realm SITE for server
> ldap/hh3.site at HH3.SITE that was not found
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>
> I've tried making a ldap principal but samba-tool spn doesn't let me
> add an ldap principal.
> Any ideas anyone?
>
> Thanks,
> Steve
Regards
Geza
More information about the samba
mailing list