[Samba] Samba 4 and GSSAPI kerberos ldap connect
steve
steve at steve-ss.com
Thu Jan 19 03:38:22 MST 2012
On 01/18/2012 09:56 PM, Gémes Géza wrote:
> 2012-01-18 12:12 keltezéssel, steve írta:
>> On 01/17/2012 09:40 PM, Gémes Géza wrote:
>>> Hi,
>>>
>>> See comments inline:
>>>> Hi everyone
>>>>
>>>> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
>>>> moment, I authenticate by specifying the binddn and password in
>>>> /etc/nslcd.conf and all works fine
>>>>
>>>> If I add the line:
>>>> sasl_mech GSSAPI
>>> That should suffice, but please note, that nslcd should also have access
>>> to some kind of keytab, to authenticate itself.
>>> This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
>>> looking like):
>>>
>>> # Defaults for nslcd init script
>>>
>>> # Whether to start k5start (for obtaining and keeping a Kerberos ticket)
>>> # By default k5start is started if nslcd.conf has sasl_mech set to
>>> GSSAPI
>>> # and krb5_ccname is set to a file-type ticket cache.
>>> # Set to "yes" to force starting k5start, any other value will not start
>>> # k5start.
>>> K5START_START="yes"
>>>
>>> # Options for k5start.
>>> K5START_BIN=/usr/bin/k5start
>>> K5START_KEYTAB=/etc/krb5.keytab
>>> K5START_CCREFRESH=60
>>> K5START_PRINCIPAL="host/$(hostname -f)"
>>>
>>> And must have k5start installed (it is wrapper which keeps fresh tickets
>>> for long runing services)
>>>> to /etc/nslcd.conf
>>>> and restart nslcd, no one can connect to the database. Nothing works.
>>>> ldapsearch and getent passwd draw a blank.
>>>>
>>>> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>>>>
>>>> gives me:
>>>>
>>>> dn:
>>>> supportedSASLMechanisms: GSS-SPNEGO
>>>> supportedSASLMechanisms: GSSAPI
>>>> supportedSASLMechanisms: NTLM
>>>>
>>>> but ldapsearch -Y GSSAPI gives:
>>>> SASL/GSSAPI authentication started
>>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>>> additional info: SASL(-1): generic failure: GSSAPI Error:
>>>> Unspecified GSS failure. Minor code may provide more information
>>>> (Server not found in Kerberos database)
>>>>
>>> before you can do an SASL/GSSAPI based ldap operation you must have
>>> valid kerberos tickets (so do a kinit first)!
>>>> and Samba gives:
>>>> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:56859
>>>> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
>>>> Kerberos: Searching referral for hh3.site
>>>> Kerberos: Returning a referral to realm SITE for server
>>>> ldap/hh3.site at HH3.SITE that was not found
>>>> Failed find a single entry for
>>>> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
>>>> got 0
>>>> Kerberos: samba_kdc_fetch: could not find principal in DB
>>>> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such
>>>> entry found in hdb
>>>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>>>>
>>>> I've tried making a ldap principal but samba-tool spn doesn't let me
>>>> add an ldap principal.
>>>> Any ideas anyone?
>>>>
>>>> Thanks,
>>>> Steve
>>> Regards
>>>
>>> Geza
>> Hi Geza
>>
>> OK. Now on Ubuntu. I have k5init installed and have made a host
>> principal:
>>
>> klist -k /etc/host.keytab
>> Keytab name: WRFILE:/etc/host.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 1 host/HH3.SITE at HH3.SITE
>> 1 host/HH3.SITE at HH3.SITE
>> 1 host/HH3.SITE at HH3.SITE
>>
>> Just to be sure I have:
>> ls -la /etc/host.keytab
>> -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab
>>
>> cat /etc/default/nslcd
>> # Defaults for nslcd init script
>>
>> # Whether to start k5start (for obtaining and keeping a Kerberos ticket)
>> # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
>> # and krb5_ccname is set to a file-type ticket cache.
>> # Set to "yes" to force starting k5start, any other value will not start
>> # k5start.
>> K5START_START="yes"
>>
>> # Options for k5start.
>> K5START_BIN=/usr/bin/k5start
>> K5START_KEYTAB=/etc/host.keytab
>> K5START_CCREFRESH=60
>> #K5START_PRINCIPAL="host/$(hostname -f)"
>> K5START_PRINCIPAL="host/HH3.SITE -f"
>>
>> I did kinit Administrator and have a cache in /tmp/krbcc_0
>>
>> cat /etc/nslcd.conf
>> uid nslcd
>> gid nslcd
>>
>> uri ldap://127.0.0.1
>>
>> base dc=hh3,dc=site
>>
>> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
>>
>> map passwd uid sAMAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map shadow uid sAMAccountName
>>
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> krb5_ccname /tmp/krb5cc_0
>>
>> But:
>>
>> service nslcd restart
>> * Restarting LDAP connection daemon
>> nslcd [ OK ]
>> * Stopping Keep alive Kerberos ticket
>> k5start No process in pidfile
>> '/var/run/nslcd/k5start_nslcd.pid' found running; none killed.
>>
>> [ OK ]
>> * Starting Keep alive Kerberos ticket
>> k5start k5start: error getting
>> credentials: Client not found in Kerberos database
>>
>> [fail]
>>
>> [ OK ]
>>
>> and Samba gives:
>> Kerberos: AS-REQ host/HH3.SITE at HH3.SITE from ipv4:192.168.1.3:38618
>> for krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: UNKNOWN -- host/HH3.SITE at HH3.SITE: no such entry found in hdb
>>
>> Why isn't the host principal being found?
>>
>> Ahhgg!!
>> Where to start?
>> Any ideas?
>> Cheers,
>> Steve
>>
> Hi,
>
> First of all /etc/host.keytab shouldn't be writable. But that is a
> different story.
> On the other hand kerberos could get confused by having a host principal
> for the realm name (I've seen your realm is named HH3.SITE and your host
> principal is host/HH3.SITE). I would create a special
> nslcd-domain-account and extract the keytab for it, and use that
> account+keytab. Or if you prefer create a host account for each host you
> have and extract a keytab for each of them. The example I've sent you
> uses the second method ($(hostname -f) returns the fqdn (if it is set in
> /etc/hostname, a common mistake is to have just the first part set in
> that file).
> Another possible error sources could be:
> K5START_PRINCIPAL="host/HH3.SITE -f"<- You definitely don't need a -f
> there!
> I wouldn't use a binddn with an sasl bind.
>
> Regards
>
> Geza
Progress:
klist -k /etc/krb5.keytab | grep host-account
1 host-account at HH3.SITE
1 host-account at HH3.SITE
1 host-account at HH3.SITE
cat /etc/default/nslcd
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host-account at HH3.SITE"
service nslcd restart
Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:49240 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
host-account at HH3.SITE
Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:35595 for
krbtgt/HH3.SITE at HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- host-account at HH3.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset endtime:
2012-01-19T21:19:01 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
service nslcd restart
* Restarting LDAP connection daemon
nslcd [ OK ]
* Stopping Keep alive Kerberos ticket
k5start [ OK ]
* Starting Keep alive Kerberos ticket
k5start [ OK ]
getent passwd
syslog gives:
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP server
ldap://hh3.hh3.site: Unknown authentication method: Operation now in
progress
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
samba gives:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
The only way I can bind is by removing the sasl_mech GSSAPI and giving
the binddn and bindpw in /etc/nslcd.conf
'So I'm stuck with 'Unknown authentication method'. Are we sure that
nslcd can bind using Kerbreros?
Thanks for your patience,
Steve
More information about the samba
mailing list