[Samba] Samba 4 and GSSAPI kerberos ldap connect

Andrew Bartlett abartlet at samba.org
Thu Jan 19 22:03:08 MST 2012 

On Thu, 2012-01-19 at 18:35 +0100, Gémes Géza wrote:
> 
> > Progress:
> >  klist -k /etc/krb5.keytab | grep host-account
> >    1 host-account at HH3.SITE
> >    1 host-account at HH3.SITE
> >    1 host-account at HH3.SITE
> >
> > cat /etc/default/nslcd
> > K5START_START="yes"
> > # Options for k5start.
> > K5START_BIN=/usr/bin/k5start
> > K5START_KEYTAB=/etc/krb5.keytab
> > K5START_CCREFRESH=60
> > K5START_PRINCIPAL="host-account at HH3.SITE"
> >
> > service nslcd restart
> > Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:49240 for
> > krbtgt/HH3.SITE at HH3.SITE
> > Kerberos: Client sent patypes: 149
> > Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
> > Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
> > Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> > host-account at HH3.SITE
> > Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:35595 for
> > krbtgt/HH3.SITE at HH3.SITE
> > Kerberos: Client sent patypes: encrypted-timestamp, 149
> > Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
> > Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
> > Kerberos: ENC-TS Pre-authentication succeeded -- host-account at HH3.SITE
> > using arcfour-hmac-md5
> > Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset
> > endtime: 2012-01-19T21:19:01 renew till: unset
> > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> > aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
> > arcfour-hmac-md5/arcfour-hmac-md5
> > Kerberos: Requested flags: renewable-ok
> >
> >  service nslcd restart
> >  * Restarting LDAP connection daemon
> > nslcd                               [ OK ]
> >  * Stopping Keep alive Kerberos ticket
> > k5start                           [ OK ]
> >  * Starting Keep alive Kerberos ticket
> > k5start                           [ OK ]
> >
> > getent passwd
> > syslog gives:
> > Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP
> > server ldap://hh3.hh3.site: Unknown authentication method: Operation
> > now in progress
> > Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
> > samba gives:
> > ldb_wrap open of secrets.ldb
> > Terminating connection - 'ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> >
> > The only way I can bind is by removing the sasl_mech GSSAPI and giving
> > the binddn and bindpw in /etc/nslcd.conf
> >
> > 'So I'm stuck with 'Unknown authentication method'. Are we sure that
> > nslcd can bind using Kerbreros?
> >
> > Thanks for your patience,
> > Steve
> Hi,
> 
> Even if you are scared of death of samba-technical I'm posting it there
> as well, maybe someone can answer the questions which arise when I tried
> to check out your use case.
> So I've tried first:
> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
> 
> gives:
> SASL/GSSAPI authentication started
> SASL username: Administrator at KZSDABAS.HU
> SASL SSF: 56
> SASL data security layer installed.
> No such object (32)
> Additional information: empty base DN at
> ../source4/dsdb/samdb/ldb_modules/partition.c:617

The issue appears to be related to there being not 'base dn' being
specified.  Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.

This behaviour may not match windows - if you can test against that,
please let us know the difference and we can sort it out.  Base DN
specification and defaults changed mid last year.

> and
> 
> # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: Administrator at KZSDABAS.HU
> SASL SSF: 56
> SASL data security layer installed.
> ldap_parse_result: Protocol error (2)
>     additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
> supported
> Result: Protocol error (2)
> Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
> 
> So the question is does the Samba4 LDAP server support SASL/GSSAPI based
> binding?

We support SASL/GSSAPI.  We do not (patches very welcome) currently
support the extended operation ldapwhoami uses.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list