[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Thu Jan 19 10:56:12 MST 2012 

On 19/01/12 18:35, Gémes Géza wrote:
>
>> Progress:
>>   klist -k /etc/krb5.keytab | grep host-account
>>     1 host-account at HH3.SITE
>>     1 host-account at HH3.SITE
>>     1 host-account at HH3.SITE
>>
>> cat /etc/default/nslcd
>> K5START_START="yes"
>> # Options for k5start.
>> K5START_BIN=/usr/bin/k5start
>> K5START_KEYTAB=/etc/krb5.keytab
>> K5START_CCREFRESH=60
>> K5START_PRINCIPAL="host-account at HH3.SITE"
>>
>> service nslcd restart
>> Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:49240 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: Client sent patypes: 149
>> Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
>> Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>> host-account at HH3.SITE
>> Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:35595 for
>> krbtgt/HH3.SITE at HH3.SITE
>> Kerberos: Client sent patypes: encrypted-timestamp, 149
>> Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
>> Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
>> Kerberos: ENC-TS Pre-authentication succeeded -- host-account at HH3.SITE
>> using arcfour-hmac-md5
>> Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset
>> endtime: 2012-01-19T21:19:01 renew till: unset
>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
>> arcfour-hmac-md5/arcfour-hmac-md5
>> Kerberos: Requested flags: renewable-ok
>>
>>   service nslcd restart
>>   * Restarting LDAP connection daemon
>> nslcd                               [ OK ]
>>   * Stopping Keep alive Kerberos ticket
>> k5start                           [ OK ]
>>   * Starting Keep alive Kerberos ticket
>> k5start                           [ OK ]
>>
>> getent passwd
>> syslog gives:
>> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP
>> server ldap://hh3.hh3.site: Unknown authentication method: Operation
>> now in progress
>> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
>> samba gives:
>> ldb_wrap open of secrets.ldb
>> Terminating connection - 'ldapsrv_call_loop:
>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>
>> The only way I can bind is by removing the sasl_mech GSSAPI and giving
>> the binddn and bindpw in /etc/nslcd.conf
>>
>> 'So I'm stuck with 'Unknown authentication method'. Are we sure that
>> nslcd can bind using Kerbreros?
>>
>> Thanks for your patience,
>> Steve
> Hi,
>
> Even if you are scared of death of samba-technical I'm posting it there
> as well, maybe someone can answer the questions which arise when I tried
> to check out your use case.
> So I've tried first:
> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
>
> gives:
> SASL/GSSAPI authentication started
> SASL username: Administrator at KZSDABAS.HU
> SASL SSF: 56
> SASL data security layer installed.
> No such object (32)
> Additional information: empty base DN at
> ../source4/dsdb/samdb/ldb_modules/partition.c:617
>
> and
>
> # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: Administrator at KZSDABAS.HU
> SASL SSF: 56
> SASL data security layer installed.
> ldap_parse_result: Protocol error (2)
>      additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
> supported
> Result: Protocol error (2)
> Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
>
> So the question is does the Samba4 LDAP server support SASL/GSSAPI based
> binding?
>
> Cheers
Thanks Geza. You're a star.

Meanwhile, back with openSUSE some more progress:

Here is the original error:

ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:56661 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T18:28:38 starttime: 
2012-01-19T18:34:01 endtime: 2012-01-20T04:28:38 renew till: 
2012-01-20T18:28:32
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed

So I extracted a keytab for ldap:

samba-tool spn add ldap/hh3.site host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site
klist -k /etc/ldap.keytab
Keytab name: WRFILE:/etc/ldap.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 ldap/hh3.site at HH3.SITE
    1 ldap/hh3.site at HH3.SITE
    1 ldap/hh3.site at HH3.SITE

NOW the error has changed:
getent passwd gives:

ldb_wrap open of secrets.ldb
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed

host-account has done a kinit and there is a cache in /tmp/krb5cc_0
/etc/nslcd.conf contains:
sasl_mech GSSAPI
#sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0

I feel that this is soooo close now!
Cheers
Steve

More information about the samba mailing list