[Samba] Samba 4 and GSSAPI kerberos ldap connect
steve
steve at steve-ss.com
Wed Jan 18 04:12:05 MST 2012
On 01/17/2012 09:40 PM, Gémes Géza wrote:
> Hi,
>
> See comments inline:
>> Hi everyone
>>
>> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
>> moment, I authenticate by specifying the binddn and password in
>> /etc/nslcd.conf and all works fine
>>
>> If I add the line:
>> sasl_mech GSSAPI
> That should suffice, but please note, that nslcd should also have access
> to some kind of keytab, to authenticate itself.
> This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
> looking like):
>
> # Defaults for nslcd init script
>
> # Whether to start k5start (for obtaining and keeping a Kerberos ticket)
> # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
> # and krb5_ccname is set to a file-type ticket cache.
> # Set to "yes" to force starting k5start, any other value will not start
> # k5start.
> K5START_START="yes"
>
> # Options for k5start.
> K5START_BIN=/usr/bin/k5start
> K5START_KEYTAB=/etc/krb5.keytab
> K5START_CCREFRESH=60
> K5START_PRINCIPAL="host/$(hostname -f)"
>
> And must have k5start installed (it is wrapper which keeps fresh tickets
> for long runing services)
>> to /etc/nslcd.conf
>> and restart nslcd, no one can connect to the database. Nothing works.
>> ldapsearch and getent passwd draw a blank.
>>
>> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>>
>> gives me:
>>
>> dn:
>> supportedSASLMechanisms: GSS-SPNEGO
>> supportedSASLMechanisms: GSSAPI
>> supportedSASLMechanisms: NTLM
>>
>> but ldapsearch -Y GSSAPI gives:
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Local error (-2)
>> additional info: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information
>> (Server not found in Kerberos database)
>>
> before you can do an SASL/GSSAPI based ldap operation you must have
> valid kerberos tickets (so do a kinit first)!
>> and Samba gives:
>> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:56859
>> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
>> Kerberos: Searching referral for hh3.site
>> Kerberos: Returning a referral to realm SITE for server
>> ldap/hh3.site at HH3.SITE that was not found
>> Failed find a single entry for
>> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
>> got 0
>> Kerberos: samba_kdc_fetch: could not find principal in DB
>> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
>> entry found in hdb
>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>>
>> I've tried making a ldap principal but samba-tool spn doesn't let me
>> add an ldap principal.
>> Any ideas anyone?
>>
>> Thanks,
>> Steve
> Regards
>
> Geza
Hi Geza
OK. Now on Ubuntu. I have k5init installed and have made a host principal:
klist -k /etc/host.keytab
Keytab name: WRFILE:/etc/host.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/HH3.SITE at HH3.SITE
1 host/HH3.SITE at HH3.SITE
1 host/HH3.SITE at HH3.SITE
Just to be sure I have:
ls -la /etc/host.keytab
-rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab
cat /etc/default/nslcd
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/host.keytab
K5START_CCREFRESH=60
#K5START_PRINCIPAL="host/$(hostname -f)"
K5START_PRINCIPAL="host/HH3.SITE -f"
I did kinit Administrator and have a cache in /tmp/krbcc_0
cat /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://127.0.0.1
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
But:
service nslcd restart
* Restarting LDAP connection daemon
nslcd [ OK ]
* Stopping Keep alive Kerberos ticket
k5start No process in pidfile
'/var/run/nslcd/k5start_nslcd.pid' found running; none killed.
[ OK ]
* Starting Keep alive Kerberos ticket
k5start k5start: error getting
credentials: Client not found in Kerberos database
[fail]
[ OK ]
and Samba gives:
Kerberos: AS-REQ host/HH3.SITE at HH3.SITE from ipv4:192.168.1.3:38618 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: UNKNOWN -- host/HH3.SITE at HH3.SITE: no such entry found in hdb
Why isn't the host principal being found?
Ahhgg!!
Where to start?
Any ideas?
Cheers,
Steve
More information about the samba
mailing list