[Samba] Samba 4 and GSSAPI kerberos ldap connect

Michael Wood esiotrot at gmail.com
Fri Jan 20 04:41:15 MST 2012 

Hi

On 20 January 2012 12:19, steve <steve at steve-ss.com> wrote:
[...]
> OK. Start from nothing. New checkout, /usr/local/samba deleted, keytabs
> gone. . . Nothing.
>
> ./source4/setup/provision --realm=site --domain=CACTUS --adminpass=abc at 1234
> --server-role='domain controller'
>
>  kinit Administrator
[...]
> hh3:/tmp # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SITE
[...]

Fine for testing or doing work as Administrator, but not what you want
to use for nslcd.

> hh3:/tmp # ldapsearch -H ldap://192.168.1.3 cn=Administrator -b dc=site -LLL
> -Y GSSAPI
[...]

OK, so GSSAPI bind to Samba 4 works.

> samba-tool user add steve2
>
> Next add rfc2307 stuff for steve2:
[...]
> wbinfo -i steve2
> CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
>
> Optimistically:
> getent passwd steve2
> _nothing_!
> But nslcd-user can't read the ticket.
> So:
> chmod 0644 /tmp/

Obviously you meant the following:

chmod 644 /tmp/krb5cc_0

This is BAD!  It means anyone on that machine will be able to do
anything as Administrator.

Better (but not the way you're supposed to do it) would be to chown
the file to the user that is running nslcd.

What you want to do is create a domain user for nslcd (separate from
the local user that the process runs as.  i.e. it will probably need a
different username.  This is just for authenticating against Samba.)

samba-tool user add nslcd-service

Now if you "kinit nslcd-service" and chown the file to the right UID,
nslcd should work as it did for Administrator.  Still not quite right,
though, I think.

I think you want to create a service principal name, export it as a
keytab and then use that for nslcd, but this is where I am a bit
unsure.

> and getent springs to life:
> getent passwd steve2
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
> (gasps of general amazement etc.)
>
> Finally, the kerberized bind works. steve2 can logon and get attributes from
> LDAP _without_ the binddn and bindpw. For the record, /etc/nslcd.conf looks
> like this:

Is there no principal specified?  Maybe it's not necessary.

[...]
> Next stage: getting nslcd-user to be able to read the ticket and keep the
> ticket up to date.

Well, /tmp/krb5cc_0 is root's ticket cache.  Since you're running
nslcd as "nslcd-user", that's not the ticket cache you should be
using.  Either you should be generating a new ticket cache (maybe
using k5start), maybe not in /tmp, with the right permissions and
where nslcd can use it.

> I can't find k5start for openSUSE. I'll ask the guys over
> at the suse list for that one.

Otherwise you could probably compile it yourself.

> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
> k5start).

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list