[Samba] Samba 4 and GSSAPI kerberos ldap connect

Gémes Géza geza at kzsdabas.hu
Thu Jan 19 22:45:10 MST 2012 

2012-01-20 06:03 keltezéssel, Andrew Bartlett írta:
> On Thu, 2012-01-19 at 18:35 +0100, Gémes Géza wrote:
>>> Progress:
>>>  klist -k /etc/krb5.keytab | grep host-account
>>>    1 host-account at HH3.SITE
>>>    1 host-account at HH3.SITE
>>>    1 host-account at HH3.SITE
>>>
>>> cat /etc/default/nslcd
>>> K5START_START="yes"
>>> # Options for k5start.
>>> K5START_BIN=/usr/bin/k5start
>>> K5START_KEYTAB=/etc/krb5.keytab
>>> K5START_CCREFRESH=60
>>> K5START_PRINCIPAL="host-account at HH3.SITE"
>>>
>>> service nslcd restart
>>> Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:49240 for
>>> krbtgt/HH3.SITE at HH3.SITE
>>> Kerberos: Client sent patypes: 149
>>> Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
>>> Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
>>> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
>>> host-account at HH3.SITE
>>> Kerberos: AS-REQ host-account at HH3.SITE from ipv4:192.168.1.3:35595 for
>>> krbtgt/HH3.SITE at HH3.SITE
>>> Kerberos: Client sent patypes: encrypted-timestamp, 149
>>> Kerberos: Looking for PKINIT pa-data -- host-account at HH3.SITE
>>> Kerberos: Looking for ENC-TS pa-data -- host-account at HH3.SITE
>>> Kerberos: ENC-TS Pre-authentication succeeded -- host-account at HH3.SITE
>>> using arcfour-hmac-md5
>>> Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset
>>> endtime: 2012-01-19T21:19:01 renew till: unset
>>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
>>> arcfour-hmac-md5/arcfour-hmac-md5
>>> Kerberos: Requested flags: renewable-ok
>>>
>>>  service nslcd restart
>>>  * Restarting LDAP connection daemon
>>> nslcd                               [ OK ]
>>>  * Stopping Keep alive Kerberos ticket
>>> k5start                           [ OK ]
>>>  * Starting Keep alive Kerberos ticket
>>> k5start                           [ OK ]
>>>
>>> getent passwd
>>> syslog gives:
>>> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP
>>> server ldap://hh3.hh3.site: Unknown authentication method: Operation
>>> now in progress
>>> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
>>> samba gives:
>>> ldb_wrap open of secrets.ldb
>>> Terminating connection - 'ldapsrv_call_loop:
>>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>>
>>> The only way I can bind is by removing the sasl_mech GSSAPI and giving
>>> the binddn and bindpw in /etc/nslcd.conf
>>>
>>> 'So I'm stuck with 'Unknown authentication method'. Are we sure that
>>> nslcd can bind using Kerbreros?
>>>
>>> Thanks for your patience,
>>> Steve
>> Hi,
>>
>> Even if you are scared of death of samba-technical I'm posting it there
>> as well, maybe someone can answer the questions which arise when I tried
>> to check out your use case.
>> So I've tried first:
>> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
>>
>> gives:
>> SASL/GSSAPI authentication started
>> SASL username: Administrator at KZSDABAS.HU
>> SASL SSF: 56
>> SASL data security layer installed.
>> No such object (32)
>> Additional information: empty base DN at
>> ../source4/dsdb/samdb/ldb_modules/partition.c:617
> The issue appears to be related to there being not 'base dn' being
> specified.  Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
>
> This behaviour may not match windows - if you can test against that,
> please let us know the difference and we can sort it out.  Base DN
> specification and defaults changed mid last year.
>
Thanks!

Specifying the base dn was the problem, but that still doesn't explain
(although suggest that the problem lies with nslcd itself) the original
problem.

>> and
>>
>> # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
>> SASL/GSSAPI authentication started
>> SASL username: Administrator at KZSDABAS.HU
>> SASL SSF: 56
>> SASL data security layer installed.
>> ldap_parse_result: Protocol error (2)
>>     additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
>> supported
>> Result: Protocol error (2)
>> Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
>>
>> So the question is does the Samba4 LDAP server support SASL/GSSAPI based
>> binding?
> We support SASL/GSSAPI.  We do not (patches very welcome) currently
> support the extended operation ldapwhoami uses.
>
> Andrew Bartlett
>
Cheers

Geza

More information about the samba mailing list