[Samba] nslcd service - "Client not found in Kerberos database"

Quinn Plattel qiet72 at gmail.com
Thu Jul 12 12:30:35 MDT 2012


Hi Steve,

Thanks for the info - that helps a lot!
I can see that the /etc/init.d/nslcd script in Ubuntu needs modifying in
order for k5start to work.  It uses -u to specify an alternate principal
which you don't use in your example.
The script uses "host/client.example.com" as an alternate principal - can
you not use that principal format instead of just a user name?

br,
Quinn

On Thu, Jul 12, 2012 at 3:08 PM, steve <steve at steve-ss.com> wrote:

> On 12/07/12 10:41, Quinn Plattel wrote:
>
>> Hi,
>>
>> I am trying to configure the nslcd service on an Ubuntu client for
>> kerberos
>> authentication against samba4.  My /etc/nslcd.conf contains the following:
>>
>> uid nslcd
>> gid nslcd
>> uri ldapi:///cofil01.mydomain.net
>> base dc=mydomain,dc=net
>> sasl_mech GSSAPI
>> krb5_ccname FILE:/tmp/host.tkt
>>
>
> Hi Quinn
> It can't authenticate because it doesn't know which principal to use.
>
> 1.Include the realm after the GSSAPI line:
> sasl_realm MYDOMAIN.NET
> 2. Create an AD user e.g. nslcd-service
> samba-tool user add nslcd-service
> 3. extract the keytab:
> samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service
> 4.edit /etc/default/nslcd to contain: K5START_START="no"
> 5. start the service
> k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt &
> service nslcd start
>
> That's it.
>
> HTH
> Cheers,
> Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>



-- 
Best regards/Med venlig hilsen,
Quinn Plattel


More information about the samba mailing list