[Samba] Samba 4 and GSSAPI kerberos ldap connect
steve
steve at steve-ss.com
Fri Jan 20 06:23:09 MST 2012
On 20/01/12 12:41, Michael Wood wrote:
Michael. Thanks for your comments. Getting there slowly but surely. Have
made some adjustments as in-line.
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
> Obviously you meant the following:
>
> chmod 644 /tmp/krb5cc_0
Yes. I should have copied it from the terminal rather than type it.
>
> This is BAD! It means anyone on that machine will be able to do
> anything as Administrator.
>
> Better (but not the way you're supposed to do it) would be to chown
> the file to the user that is running nslcd.
>
> What you want to do is create a domain user for nslcd (separate from
> the local user that the process runs as. i.e. it will probably need a
> different username. This is just for authenticating against Samba.)
>
> samba-tool user add nslcd-service
>
> Now if you "kinit nslcd-service" and chown the file to the right UID,
> nslcd should work as it did for Administrator. Still not quite right,
> though, I think.
>
> I think you want to create a service principal name, export it as a
> keytab and then use that for nslcd, but this is where I am a bit
> unsure.
I did this:
samba-tool user add nslcd-service
New Password:
User 'nslcd-service' created successfully
kinit nslcd-service
Password for nslcd-service at SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
rcnslcd restart
redirecting to systemctl
hh3:/tmp # getent passwd steve2
steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
Seems to work OK.
I know I should use a keytab, then presumably I'd not need to keep
refreshing the ticket using k5start. I really would like like to find
out how to do that. I've tried before. Thinking out loud, maybe this:
with getent passwd, samba gives this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ nslcd-service at SITE from ipv4:192.168.1.3:50765 for
ldap/hh3.site at SITE [canonicalize, renewable]
I tried removing /tmp/krbcc_0 and doing this:
hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
But:
Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_0' not found)
So the next qn. would be how do I tell nslcd to look in the keytab
rather than the cache file?
Or maybe go the k5start way. Don't know!
> Is there no principal specified? Maybe it's not necessary.
>
> [...]
Yes. I think this is it: ldap/hh3.site at SITE Pls see samba output above.
>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>> ticket up to date.
> Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
> nslcd as "nslcd-user", that's not the ticket cache you should be
> using.
Actually, kinit nslcd-service produced a file with the same name.
> Either you should be generating a new ticket cache (maybe
> using k5start), maybe not in /tmp, with the right permissions and
> where nslcd can use it.
>
>> I can't find k5start for openSUSE. I'll ask the guys over
>> at the suse list for that one.
> Otherwise you could probably compile it yourself.
>
>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
>> k5start).
Thanks again.
Steve
More information about the samba
mailing list