[Samba] nslcd service - "Client not found in Kerberos database"
Quinn Plattel
qiet72 at gmail.com
Mon Jul 16 07:18:53 MDT 2012
Steve,
An alternate workaround to steps 3,4,5 is to do the following:
3: samba-tool domain exportkeytab /etc/krb5.keytab --principal=nslcd-service
4: edit /etc/default/nslcd and add the line:
K5START_PRINCIPAL="nslcd-service"
5: start nslcd with "service nslcd start"
So now we have two principals we can use for nslcd, a user principal named
nslcd-service or a computer account created by "net ads join".
I can see you use -K 540 for k5start. The -K parameter refreshes the
kerberos credentials cache - with your's every 9 hours or 540 minutes, but
if you use ubuntu's defaults, it refreshes once an hour, aka every 60
minutes.
br,
Quinn
On Thu, Jul 12, 2012 at 3:08 PM, steve <steve at steve-ss.com> wrote:
> On 12/07/12 10:41, Quinn Plattel wrote:
>
>> Hi,
>>
>> I am trying to configure the nslcd service on an Ubuntu client for
>> kerberos
>> authentication against samba4. My /etc/nslcd.conf contains the following:
>>
>> uid nslcd
>> gid nslcd
>> uri ldapi:///cofil01.mydomain.net
>> base dc=mydomain,dc=net
>> sasl_mech GSSAPI
>> krb5_ccname FILE:/tmp/host.tkt
>>
>
> Hi Quinn
> It can't authenticate because it doesn't know which principal to use.
>
> 1.Include the realm after the GSSAPI line:
> sasl_realm MYDOMAIN.NET
> 2. Create an AD user e.g. nslcd-service
> samba-tool user add nslcd-service
> 3. extract the keytab:
> samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service
> 4.edit /etc/default/nslcd to contain: K5START_START="no"
> 5. start the service
> k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt &
> service nslcd start
>
> That's it.
>
> HTH
> Cheers,
> Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
--
Best regards/Med venlig hilsen,
Quinn Plattel
More information about the samba
mailing list