[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Fri Jan 20 03:19:54 MST 2012


On 20/01/12 07:55, steve wrote:
>>>> Hi,
>>>>
>>>> Even if you are scared of death of samba-technical I'm posting it 
>>>> there
>>>> as well, maybe someone can answer the questions which arise when I 
>>>> tried
>>>> to check out your use case.
>>>> So I've tried first:
>>>> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y 
>>>> GSSAPI
>>>>
>>>> gives:
>>>> SASL/GSSAPI authentication started
>>>> SASL username: Administrator at KZSDABAS.HU
>>>> SASL SSF: 56
>>>> SASL data security layer installed.
>>>> No such object (32)
>>>> Additional information: empty base DN at
>>>> ../source4/dsdb/samdb/ldb_modules/partition.c:617
>>> The issue appears to be related to there being not 'base dn' being
>>> specified.  Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
>>>
>>> This behaviour may not match windows - if you can test against that,
>>> please let us know the difference and we can sort it out.  Base DN
>>> specification and defaults changed mid last year.
>>>
>> Thanks!
>>
>> Specifying the base dn was the problem, but that still doesn't explain
>> (although suggest that the problem lies with nslcd itself) the original
>> problem.
>>
> Hi
> Nothing:
>
> hh3:/tmp # kinit Administrator
> Password for Administrator at HH3.SITE:
> Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012
>
> ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL 
> -Y GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>     additional info: SASL(-1): generic failure: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information 
> (Server not found in Kerberos database)
>
> ldb_wrap open of secrets.ldb
> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:52922 
> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
> Kerberos: Searching referral for hh3.site
> Kerberos: Returning a referral to realm SITE for server 
> ldap/hh3.site at HH3.SITE that was not found
> Failed find a single entry for 
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): 
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE at HH3.SITE: no such 
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922
>
> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab 
> --principal=ldap/hh3.site
>
> hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b 
> dc=hh3,dc=site -LLL -Y GSSAPI
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>     additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE
>
> ldb_wrap open of secrets.ldb
> Kerberos: TGS-REQ Administrator at HH3.SITE from ipv4:192.168.1.3:48616 
> for ldap/hh3.site at HH3.SITE [canonicalize, renewable]
> Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime: 
> 2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till: 
> 2012-01-21T07:47:56
> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
> text): Decrypt integrity check failed
>
> And again the integrity check failed error.
> Help!
> Cheers,
> Steve
>
OK. Start from nothing. New checkout, /usr/local/samba deleted, keytabs 
gone. . . Nothing.

./source4/setup/provision --realm=site --domain=CACTUS 
--adminpass=abc at 1234 --server-role='domain controller'

  kinit Administrator
Password for Administrator at SITE:
Warning: Your password will expire in 41 days on Fri Mar  2 10:11:08 2012
hh3:/tmp # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SITE

Valid starting     Expires            Service principal
01/20/12 10:36:20  01/20/12 20:36:20  krbtgt/SITE at SITE
     renew until 01/21/12 10:36:14
hh3:/tmp # ldapsearch -H ldap://192.168.1.3 cn=Administrator -b dc=site 
-LLL -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: Administrator at SITE
SASL SSF: 56
SASL data security layer installed.
dn: CN=Administrator,CN=Users,DC=site
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20120120091108.0Z
whenChanged: 20120120091108.0Z
uSNCreated: 3544
uSNChanged: 3544
name: Administrator
objectGUID:: mGFPzUkB00u061KWBq0BbQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129715242680000000
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA1QO34Lt6TetRTPlg9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=site
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=site
memberOf: CN=Enterprise Admins,CN=Users,DC=site
memberOf: CN=Schema Admins,CN=Users,DC=site
memberOf: CN=Domain Admins,CN=Users,DC=site
distinguishedName: CN=Administrator,CN=Users,DC=site

# refldap://site/CN=Configuration,DC=site

# refldap://site/DC=DomainDnsZones,DC=site

# refldap://site/DC=ForestDnsZones,DC=site

Still here?

samba-tool user add steve2

Next add rfc2307 stuff for steve2:

cat steve2.ldif
dn: cn=steve2,cn=Users,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 3000000
-
add: gidnumber
gidnumber: 100
-
add:unixhomedirectory
unixhomedirectory: /home/CACTUS/steve2
-
add: loginshell
loginshell: /bin/bash

ldapmodify -H 192.168.1.3 -W -D cn=Administrator,cn=Users,dc=site -f 
steve2.ldif
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash

Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
and getent springs to life:
getent passwd steve2
steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
(gasps of general amazement etc.)

Finally, the kerberized bind works. steve2 can logon and get attributes 
from LDAP _without_ the binddn and bindpw. For the record, 
/etc/nslcd.conf looks like this:

uid nslcd-user
gid nslcd-user
uri ldap://192.168.1.3
base dc=site
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    shadow uid              sAMAccountName
sasl_mech GSSAPI
krb5_ccname /tmp/krb5cc_0

Next stage: getting nslcd-user to be able to read the ticket and keep 
the ticket up to date. I can't find k5start for openSUSE. I'll ask the 
guys over at the suse list for that one.

If I get time, I'll go through this on Ubuntu (where Geza pointed me to 
k5start).

Phew!
Steve.





More information about the samba mailing list