[Samba] Samba 4 and GSSAPI kerberos ldap connect

Andrew Bartlett abartlet at samba.org
Fri Jan 27 01:37:08 MST 2012

On Fri, 2012-01-27 at 08:40 +0100, steve wrote:
> On 01/27/2012 05:37 AM, Andrew Bartlett wrote:
> > On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
> >
> >> even though I've made a ldap/hh3.site principal:
> >> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
> >> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> >> --principal=ldap/hh3.site
> >>
> >> Why do I get the
> >> Decrypt integrity check failed
> >> error?
> > Why do you keep doing this?
> >
> > What makes you think this is the right thing to do (so I can correct
> > whatever gave you this misconception).
> >
> > Samba will not read /etc/ldap.keytab.
> >
> > Samba uses the private keytab containing it's own machine account only.
> > Samba should not be contacted via the dns domain name, it should be
> > contacted by the fully qualified domain name.
> >
> > The fact the dns domain name (hh3.site) resolves is an artefact of the
> > default AD DNS zone, but should not be used.  If your client uses the
> > fully qualified name (dc.hh3.site), it will collect the correct ticket,
> > and Samba will decrypt it.
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> Hi
> Thanks for pointing this out. It turned out that when I provisioned, I 
> had the fqdn wrong. Duh! I set that correctly in /etc/hosts, 
> reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked 
> and I could extract stuff I'd put into the s4 LDAP database so our Linux 
> users could connect.
> I have still not been able to get winbind nor the fileserver working, so 
> I've added nfs4 for the Linux clients and there I did need to add a 
> principal for the kerberized nfs, otherwise the nfs server would not 
> start. 

That is correct.  Unlike our internal services, you will need to add an
account and give that account an SPN to allow other kerberos services to
work.  You then extract the keytab entry into the keytab file the
service expects to use (quite possibly the system
default /etc/krb5.keytab).

> It's a bit of a hack but it's good enough for us at the moment. I 
> got around the user id mappings as described here:
>   http://linuxcostablanca.blogspot.com/p/samba-4.html

I'll try and look over that and give you some feedback.  Where possible,
refer folks to the official HOWTO, as we can keep that up to date and
correct errors/misconceptions centrally that way. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list