[Samba] nslcd service - "Client not found in Kerberos database"

steve steve at steve-ss.com
Thu Jul 12 07:08:04 MDT 2012

On 12/07/12 10:41, Quinn Plattel wrote:
> Hi,
> I am trying to configure the nslcd service on an Ubuntu client for kerberos
> authentication against samba4.  My /etc/nslcd.conf contains the following:
> uid nslcd
> gid nslcd
> uri ldapi:///cofil01.mydomain.net
> base dc=mydomain,dc=net
> sasl_mech GSSAPI
> krb5_ccname FILE:/tmp/host.tkt

Hi Quinn
It can't authenticate because it doesn't know which principal to use.

1.Include the realm after the GSSAPI line:
sasl_realm MYDOMAIN.NET
2. Create an AD user e.g. nslcd-service
samba-tool user add nslcd-service
3. extract the keytab:
samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service
4.edit /etc/default/nslcd to contain: K5START_START="no"
5. start the service
k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt &
service nslcd start

That's it.


More information about the samba mailing list