[Samba] Samba 4 and GSSAPI kerberos ldap connect

steve steve at steve-ss.com
Fri Jan 20 06:23:09 MST 2012

On 20/01/12 12:41, Michael Wood wrote:
Michael. Thanks for your comments. Getting there slowly but surely. Have 
made some adjustments as in-line.

wbinfo -i steve2

getent passwd steve2
But nslcd-user can't read the ticket.
chmod 0644 /tmp/

> Obviously you meant the following:
> chmod 644 /tmp/krb5cc_0
Yes. I should have copied it from the terminal rather than type it.
> This is BAD!  It means anyone on that machine will be able to do
> anything as Administrator.
> Better (but not the way you're supposed to do it) would be to chown
> the file to the user that is running nslcd.
> What you want to do is create a domain user for nslcd (separate from
> the local user that the process runs as.  i.e. it will probably need a
> different username.  This is just for authenticating against Samba.)
> samba-tool user add nslcd-service
> Now if you "kinit nslcd-service" and chown the file to the right UID,
> nslcd should work as it did for Administrator.  Still not quite right,
> though, I think.
> I think you want to create a service principal name, export it as a
> keytab and then use that for nslcd, but this is where I am a bit
> unsure.
I did this:

  samba-tool user add nslcd-service
New Password:
User 'nslcd-service' created successfully
kinit nslcd-service
Password for nslcd-service at SITE:
Warning: Your password will expire in 41 days on Fri Mar  2 13:47:22 2012
hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
  rcnslcd restart
redirecting to systemctl
hh3:/tmp # getent passwd steve2

Seems to work OK.

I know I should use a keytab, then presumably I'd not need to keep 
refreshing the ticket using k5start. I really would like like to find 
out how to do that. I've tried before. Thinking out loud, maybe this:

with getent passwd, samba gives this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ nslcd-service at SITE from ipv4: for 
ldap/hh3.site at SITE [canonicalize, renewable]

I tried removing /tmp/krbcc_0 and doing this:

hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab 
hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab

Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Credentials cache file 
'/tmp/krb5cc_0' not found)

So the next qn. would be how do I tell nslcd to look in the keytab 
rather than the cache file?

Or maybe go the k5start way. Don't know!

> Is there no principal specified?  Maybe it's not necessary.
> [...]
Yes. I think this is it: ldap/hh3.site at SITE Pls see samba output above.
>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>> ticket up to date.
> Well, /tmp/krb5cc_0 is root's ticket cache.  Since you're running
> nslcd as "nslcd-user", that's not the ticket cache you should be
> using.
Actually, kinit nslcd-service produced a file with the same name.
>   Either you should be generating a new ticket cache (maybe
> using k5start), maybe not in /tmp, with the right permissions and
> where nslcd can use it.
>> I can't find k5start for openSUSE. I'll ask the guys over
>> at the suse list for that one.
> Otherwise you could probably compile it yourself.
>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
>> k5start).
Thanks again.

More information about the samba mailing list