[Samba] Samba 4 and GSSAPI kerberos ldap connect
steve at steve-ss.com
Fri Jan 20 06:23:09 MST 2012
On 20/01/12 12:41, Michael Wood wrote:
Michael. Thanks for your comments. Getting there slowly but surely. Have
made some adjustments as in-line.
wbinfo -i steve2
getent passwd steve2
But nslcd-user can't read the ticket.
chmod 0644 /tmp/
> Obviously you meant the following:
> chmod 644 /tmp/krb5cc_0
Yes. I should have copied it from the terminal rather than type it.
> This is BAD! It means anyone on that machine will be able to do
> anything as Administrator.
> Better (but not the way you're supposed to do it) would be to chown
> the file to the user that is running nslcd.
> What you want to do is create a domain user for nslcd (separate from
> the local user that the process runs as. i.e. it will probably need a
> different username. This is just for authenticating against Samba.)
> samba-tool user add nslcd-service
> Now if you "kinit nslcd-service" and chown the file to the right UID,
> nslcd should work as it did for Administrator. Still not quite right,
> though, I think.
> I think you want to create a service principal name, export it as a
> keytab and then use that for nslcd, but this is where I am a bit
I did this:
samba-tool user add nslcd-service
User 'nslcd-service' created successfully
Password for nslcd-service at SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
redirecting to systemctl
hh3:/tmp # getent passwd steve2
Seems to work OK.
I know I should use a keytab, then presumably I'd not need to keep
refreshing the ticket using k5start. I really would like like to find
out how to do that. I've tried before. Thinking out loud, maybe this:
with getent passwd, samba gives this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ nslcd-service at SITE from ipv4:192.168.1.3:50765 for
ldap/hh3.site at SITE [canonicalize, renewable]
I tried removing /tmp/krbcc_0 and doing this:
hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
Jan 20 14:16:15 hh3 nslcd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_0' not found)
So the next qn. would be how do I tell nslcd to look in the keytab
rather than the cache file?
Or maybe go the k5start way. Don't know!
> Is there no principal specified? Maybe it's not necessary.
Yes. I think this is it: ldap/hh3.site at SITE Pls see samba output above.
>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>> ticket up to date.
> Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
> nslcd as "nslcd-user", that's not the ticket cache you should be
Actually, kinit nslcd-service produced a file with the same name.
> Either you should be generating a new ticket cache (maybe
> using k5start), maybe not in /tmp, with the right permissions and
> where nslcd can use it.
>> I can't find k5start for openSUSE. I'll ask the guys over
>> at the suse list for that one.
> Otherwise you could probably compile it yourself.
>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
More information about the samba