[Samba] nslcd service - "Client not found in Kerberos database"

Quinn Plattel qiet72 at gmail.com
Thu Jul 12 02:41:56 MDT 2012


I am trying to configure the nslcd service on an Ubuntu client for kerberos
authentication against samba4.  My /etc/nslcd.conf contains the following:

uid nslcd
gid nslcd
uri ldapi:///cofil01.mydomain.net
base dc=mydomain,dc=net
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/host.tkt

I have added the host principal "host/ubuntu-test.mydomain.net @
MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the client
by using ktutil. I have confirmed that the principals exist on both
machines by using klist -ke /etc/krb5.keytab.
"hostname -f" gives me the fully qualified domain name for the client.

If I restart the nslcd service, I get the following error on the client:
 * Starting Keep alive Kerberos ticket k5start
k5start: error getting credentials: Client not found in Kerberos database

On the samba4 server side, in the /var/log/samba/log.samba file, I get
following errors:
  Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
  Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no
such entry found in hdb

It says "no such entry found in hdb", does hdb refer to the
/etc/krb5.keytab principal database or is it referring to a database that I
don't know about?

Note: I have put spaces around all "@" so the list does not interpret them
as e-mail addresses.


More information about the samba mailing list