[Samba] nslcd service - "Client not found in Kerberos database"

Quinn Plattel qiet72 at gmail.com
Thu Jul 12 03:07:36 MDT 2012


ok, I did a simple GSSAPI test on the client with ldapsearch using
"ldapsearch -Y GSSAPI" and I get "Server not found in Kerberos database".
In log.samba on the server, it gives:

  Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:48879 for ldap/
ubuntu-test.mydomain.net @ MYDOMAIN.NET [renewable, proxiable, forwardable]
  Kerberos: Server not found in database: ldap/ubuntu-test.mydomain.net @
MYDOMAIN.NET: no such entry found in hdb
  Kerberos: Failed building TGS-REP to ipv4:10.45.1.55:48879

I have added "ldap/ubuntu-test.mydomain.net @ MYDOMAIN.NET" into the
server's /etc/krb5.keytab file using ktutil but the error still comes up.
It is as if Kerberos is not checking
/etc/krb5.keytab file.

Any ideas?

br,
Quinn

On Thu, Jul 12, 2012 at 10:41 AM, Quinn Plattel <qiet72 at gmail.com> wrote:

> Hi,
>
> I am trying to configure the nslcd service on an Ubuntu client for
> kerberos authentication against samba4.  My /etc/nslcd.conf contains the
> following:
>
> uid nslcd
> gid nslcd
> uri ldapi:///cofil01.mydomain.net
> base dc=mydomain,dc=net
> sasl_mech GSSAPI
> krb5_ccname FILE:/tmp/host.tkt
>
> I have added the host principal "host/ubuntu-test.mydomain.net @
> MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the
> client by using ktutil. I have confirmed that the principals exist on both
> machines by using klist -ke /etc/krb5.keytab.
> "hostname -f" gives me the fully qualified domain name for the client.
>
> If I restart the nslcd service, I get the following error on the client:
>  * Starting Keep alive Kerberos ticket k5start
> k5start: error getting credentials: Client not found in Kerberos database
>
> On the samba4 server side, in the /var/log/samba/log.samba file, I get
> following errors:
>   Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4:
> 10.45.1.55:34456 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET
>   Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no
> such entry found in hdb
>
> It says "no such entry found in hdb", does hdb refer to the
> /etc/krb5.keytab principal database or is it referring to a database that I
> don't know about?
>
> Note: I have put spaces around all "@" so the list does not interpret them
> as e-mail addresses.
>
>
> br,
> Quinn
>


More information about the samba mailing list