[Samba] Samba 4 and GSSAPI kerberos ldap connect

Michael Wood esiotrot at gmail.com
Fri Jan 20 08:09:15 MST 2012

On 20 January 2012 15:23, steve <steve at steve-ss.com> wrote:
> On 20/01/12 12:41, Michael Wood wrote:
> I did this:
>  samba-tool user add nslcd-service
> New Password:
> User 'nslcd-service' created successfully
> kinit nslcd-service
> Password for nslcd-service at SITE:
> Warning: Your password will expire in 41 days on Fri Mar  2 13:47:22 2012
> hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
>  rcnslcd restart
> redirecting to systemctl
> hh3:/tmp # getent passwd steve2
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
> Seems to work OK.


> I know I should use a keytab, then presumably I'd not need to keep
> refreshing the ticket using k5start. I really would like like to find out
> how to do that.

I'm starting to think that maybe a keytab is not the answer and
k5start is.  Maybe someone that knows more about Kerberos will
enlighten us, but it might make more sense to ask the question on a
Kerberos mailing list/forum.

> I've tried before. Thinking out loud, maybe this:
> with getent passwd, samba gives this:
> ldb_wrap open of secrets.ldb
> Kerberos: TGS-REQ nslcd-service at SITE from ipv4: for
> ldap/hh3.site at SITE [canonicalize, renewable]
> I tried removing /tmp/krbcc_0 and doing this:
> hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> --principal=ldap/hh3.site
> hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
> But:
> Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
>  Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_0' not found)
> So the next qn. would be how do I tell nslcd to look in the keytab rather
> than the cache file?

I don't know.  Maybe it can't use a keytab.  Perhaps the nslcd
developers could clarify this?

> Or maybe go the k5start way. Don't know!

Since the ticket cache works, I think k5start should work too, but
I've not tried it myself.

>>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>>> ticket up to date.
>> Well, /tmp/krb5cc_0 is root's ticket cache.  Since you're running
>> nslcd as "nslcd-user", that's not the ticket cache you should be
>> using.
> Actually, kinit nslcd-service produced a file with the same name.

That's because you were logged in as root when you ran kinit.  That's
what I meant when I said it was "root's ticket cache".

Michael Wood <esiotrot at gmail.com>

More information about the samba mailing list