[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Thu Jan 19 23:55:55 MST 2012 

>>> Hi,
>>>
>>> Even if you are scared of death of samba-technical I'm posting it there
>>> as well, maybe someone can answer the questions which arise when I tried
>>> to check out your use case.
>>> So I've tried first:
>>> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
>>>
>>> gives:
>>> SASL/GSSAPI authentication started
>>> SASL username: Administrator at KZSDABAS.HU
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> No such object (32)
>>> Additional information: empty base DN at
>>> ../source4/dsdb/samdb/ldb_modules/partition.c:617
>> The issue appears to be related to there being not 'base dn' being
>> specified.  Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
>>
>> This behaviour may not match windows - if you can test against that,
>> please let us know the difference and we can sort it out.  Base DN
>> specification and defaults changed mid last year.
>>
> Thanks!
>
> Specifying the base dn was the problem, but that still doesn't explain
> (although suggest that the problem lies with nslcd itself) the original
> problem.
>
Hi
Nothing:

hh3:/tmp # kinit Administrator
Password for Administrator at HH3.SITE:
Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012

ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y 
GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
     additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Server not found in Kerberos database)

ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:52922 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server 
ldap/hh3.site at HH3.SITE that was not found
Failed find a single entry for 
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922

hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab 
--principal=ldap/hh3.site

hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b 
dc=hh3,dc=site -LLL -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
     additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE

ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:48616 for 
ldap/hh3.site at HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime: 
2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till: 
2012-01-21T07:47:56
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed

And again the integrity check failed error.
Help!
Cheers,
Steve

More information about the samba mailing list