[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Wed Jan 18 04:12:05 MST 2012 

On 01/17/2012 09:40 PM, Gémes Géza wrote:
> Hi,
>
> See comments inline:
>> Hi everyone
>>
>> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
>> moment, I authenticate by specifying the binddn and password in
>> /etc/nslcd.conf and all works fine
>>
>> If I add the line:
>> sasl_mech GSSAPI
> That should suffice, but please note, that nslcd should also have access
> to some kind of keytab, to authenticate itself.
> This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
> looking like):
>
> # Defaults for nslcd init script
>
> # Whether to start k5start (for obtaining and keeping a Kerberos ticket)
> # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
> # and krb5_ccname is set to a file-type ticket cache.
> # Set to "yes" to force starting k5start, any other value will not start
> # k5start.
> K5START_START="yes"
>
> # Options for k5start.
> K5START_BIN=/usr/bin/k5start
> K5START_KEYTAB=/etc/krb5.keytab
> K5START_CCREFRESH=60
> K5START_PRINCIPAL="host/$(hostname -f)"
>
> And must have k5start installed (it is wrapper which keeps fresh tickets
> for long runing services)
>> to /etc/nslcd.conf
>> and restart nslcd, no one can connect to the database. Nothing works.
>> ldapsearch and getent passwd draw a blank.
>>
>> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>>
>> gives me:
>>
>> dn:
>> supportedSASLMechanisms: GSS-SPNEGO
>> supportedSASLMechanisms: GSSAPI
>> supportedSASLMechanisms: NTLM
>>
>> but ldapsearch -Y GSSAPI gives:
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>>      additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information
>> (Server not found in Kerberos database)
>>
> before you can do an SASL/GSSAPI based ldap operation you must have
> valid kerberos tickets (so do a kinit first)!
>> and Samba gives:
>> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:56859
>> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
>> Kerberos: Searching referral for hh3.site
>> Kerberos: Returning a referral to realm SITE for server
>> ldap/hh3.site at HH3.SITE that was not found
>> Failed find a single entry for
>> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
>> got 0
>> Kerberos: samba_kdc_fetch: could not find principal in DB
>> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
>> entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>>
>> I've tried making a ldap principal but samba-tool spn doesn't let me
>> add an ldap principal.
>> Any ideas anyone?
>>
>> Thanks,
>> Steve
> Regards
>
> Geza
Hi Geza

OK. Now on Ubuntu. I have k5init installed and have made a host principal:

klist -k /etc/host.keytab
Keytab name: WRFILE:/etc/host.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 host/HH3.SITE at HH3.SITE
    1 host/HH3.SITE at HH3.SITE
    1 host/HH3.SITE at HH3.SITE

Just to be sure I have:
  ls -la /etc/host.keytab
-rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab

cat /etc/default/nslcd
# Defaults for nslcd init script

# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"

# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/host.keytab
K5START_CCREFRESH=60
#K5START_PRINCIPAL="host/$(hostname -f)"
K5START_PRINCIPAL="host/HH3.SITE -f"

I did kinit Administrator and have a cache in /tmp/krbcc_0

cat /etc/nslcd.conf
uid nslcd
gid nslcd

uri ldap://127.0.0.1

base dc=hh3,dc=site

binddn cn=Administrator,cn=Users,dc=hh3,dc=site

map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    shadow uid              sAMAccountName

sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0

But:

  service nslcd restart
  * Restarting LDAP connection daemon 
nslcd                               [ OK ]
  * Stopping Keep alive Kerberos ticket 
k5start                                  No process in pidfile 
'/var/run/nslcd/k5start_nslcd.pid' found running; none killed.
                                                                          [ OK ]
  * Starting Keep alive Kerberos ticket 
k5start                                  k5start: error getting 
credentials: Client not found in Kerberos database
                                                                          [fail]
                                                                          [ OK ]

and Samba gives:
Kerberos: AS-REQ host/HH3.SITE at HH3.SITE from ipv4:192.168.1.3:38618 for 
krbtgt/HH3.SITE at HH3.SITE
Kerberos: UNKNOWN -- host/HH3.SITE at HH3.SITE: no such entry found in hdb

Why isn't the host principal being found?

Ahhgg!!
Where to start?
Any ideas?
Cheers,
Steve

More information about the samba mailing list