[Samba] Samba 4 and GSSAPI kerberos ldap connect
steve
steve at steve-ss.com
Fri Jan 27 00:40:13 MST 2012
On 01/27/2012 05:37 AM, Andrew Bartlett wrote:
> On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
>
>> even though I've made a ldap/hh3.site principal:
>> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
>> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
>> --principal=ldap/hh3.site
>>
>> Why do I get the
>> Decrypt integrity check failed
>> error?
> Why do you keep doing this?
>
> What makes you think this is the right thing to do (so I can correct
> whatever gave you this misconception).
>
> Samba will not read /etc/ldap.keytab.
>
> Samba uses the private keytab containing it's own machine account only.
> Samba should not be contacted via the dns domain name, it should be
> contacted by the fully qualified domain name.
>
> The fact the dns domain name (hh3.site) resolves is an artefact of the
> default AD DNS zone, but should not be used. If your client uses the
> fully qualified name (dc.hh3.site), it will collect the correct ticket,
> and Samba will decrypt it.
>
> Thanks,
>
> Andrew Bartlett
>
Hi
Thanks for pointing this out. It turned out that when I provisioned, I
had the fqdn wrong. Duh! I set that correctly in /etc/hosts,
reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked
and I could extract stuff I'd put into the s4 LDAP database so our Linux
users could connect.
I have still not been able to get winbind nor the fileserver working, so
I've added nfs4 for the Linux clients and there I did need to add a
principal for the kerberized nfs, otherwise the nfs server would not
start. It's a bit of a hack but it's good enough for us at the moment. I
got around the user id mappings as described here:
http://linuxcostablanca.blogspot.com/p/samba-4.html
Thanks for your time,
Steve
More information about the samba
mailing list