[Samba] Samba 4 and GSSAPI kerberos ldap connect

Gémes Géza geza at kzsdabas.hu
Thu Jan 19 10:35:21 MST 2012 


> Progress:
>  klist -k /etc/krb5.keytab | grep host-account
>    1 host-account at HH3.SITE
>    1 host-account at HH3.SITE
>    1 host-account at HH3.SITE
>
> cat /etc/default/nslcd
> K5START_START="yes"
> # Options for k5start.
> K5START_BIN=/usr/bin/k5start
> K5START_KEYTAB=/etc/krb5.keytab
> K5START_CCREFRESH=60
> K5START_PRINCIPAL="host-account at HH3.SITE"
>
> service nslcd restart
> Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:49240 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: Client sent patypes: 149
> Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> host-account at HH3.SITE
> Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:35595 for
> krbtgt/HH3.SITE at HH3.SITE
> Kerberos: Client sent patypes: encrypted-timestamp, 149
> Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
> Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
> Kerberos: ENC-TS Pre-authentication succeeded -- host-account at HH3.SITE
> using arcfour-hmac-md5
> Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset
> endtime: 2012-01-19T21:19:01 renew till: unset
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
> arcfour-hmac-md5/arcfour-hmac-md5
> Kerberos: Requested flags: renewable-ok
>
>  service nslcd restart
>  * Restarting LDAP connection daemon
> nslcd                               [ OK ]
>  * Stopping Keep alive Kerberos ticket
> k5start                           [ OK ]
>  * Starting Keep alive Kerberos ticket
> k5start                           [ OK ]
>
> getent passwd
> syslog gives:
> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP
> server ldap://hh3.hh3.site: Unknown authentication method: Operation
> now in progress
> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
> samba gives:
> ldb_wrap open of secrets.ldb
> Terminating connection - 'ldapsrv_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>
> The only way I can bind is by removing the sasl_mech GSSAPI and giving
> the binddn and bindpw in /etc/nslcd.conf
>
> 'So I'm stuck with 'Unknown authentication method'. Are we sure that
> nslcd can bind using Kerbreros?
>
> Thanks for your patience,
> Steve
Hi,

Even if you are scared of death of samba-technical I'm posting it there
as well, maybe someone can answer the questions which arise when I tried
to check out your use case.
So I've tried first:
# ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI

gives:
SASL/GSSAPI authentication started
SASL username: Administrator at KZSDABAS.HU
SASL SSF: 56
SASL data security layer installed.
No such object (32)
Additional information: empty base DN at
../source4/dsdb/samdb/ldb_modules/partition.c:617

and

# ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: Administrator at KZSDABAS.HU
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
    additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
supported
Result: Protocol error (2)
Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported

So the question is does the Samba4 LDAP server support SASL/GSSAPI based
binding?

Cheers

Geza

More information about the samba mailing list