[Samba] Samba 4 and GSSAPI kerberos ldap connect
Michael Wood
esiotrot at gmail.com
Fri Jan 20 08:09:15 MST 2012
On 20 January 2012 15:23, steve <steve at steve-ss.com> wrote:
> On 20/01/12 12:41, Michael Wood wrote:
[...]
> I did this:
>
> samba-tool user add nslcd-service
> New Password:
> User 'nslcd-service' created successfully
> kinit nslcd-service
> Password for nslcd-service at SITE:
> Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
> hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
> rcnslcd restart
> redirecting to systemctl
> hh3:/tmp # getent passwd steve2
>
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
>
> Seems to work OK.
OK.
> I know I should use a keytab, then presumably I'd not need to keep
> refreshing the ticket using k5start. I really would like like to find out
> how to do that.
I'm starting to think that maybe a keytab is not the answer and
k5start is. Maybe someone that knows more about Kerberos will
enlighten us, but it might make more sense to ask the question on a
Kerberos mailing list/forum.
> I've tried before. Thinking out loud, maybe this:
>
> with getent passwd, samba gives this:
> ldb_wrap open of secrets.ldb
> Kerberos: TGS-REQ nslcd-service at SITE from ipv4:192.168.1.3:50765 for
> ldap/hh3.site at SITE [canonicalize, renewable]
>
> I tried removing /tmp/krbcc_0 and doing this:
>
> hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
>
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> --principal=ldap/hh3.site
> hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
>
> But:
> Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_0' not found)
>
> So the next qn. would be how do I tell nslcd to look in the keytab rather
> than the cache file?
I don't know. Maybe it can't use a keytab. Perhaps the nslcd
developers could clarify this?
> Or maybe go the k5start way. Don't know!
Since the ticket cache works, I think k5start should work too, but
I've not tried it myself.
>>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>>> ticket up to date.
>>
>> Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
>> nslcd as "nslcd-user", that's not the ticket cache you should be
>> using.
>
> Actually, kinit nslcd-service produced a file with the same name.
That's because you were logged in as root when you ran kinit. That's
what I meant when I said it was "root's ticket cache".
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list