[Samba] ldbsearch/kerberos issue

Geoff Crompton geoffc at trinity.unimelb.edu.au
Thu Apr 18 20:06:46 MDT 2013


Samba 4.0.5, Debian 6.0

I can successfully perform an ldbsearch on the Samba ldb by specifying 
the -U parameter:


     geoffc at test-dc03: ~ $ /usr/local/samba/bin/ldbsearch -H 
ldap://localhost  -U geoffc 'CN=IT' objectClass
     Password for [STAFF\geoffc]:
     # record 1
     dn: CN=IT,CN=Users,DC=testad2,DC=trinity,DC=unimelb,DC=edu,DC=au
     objectClass: top
     objectClass: posixGroup
     objectClass: group
     <snip>

and while I can kinit successfully, as this klist shows:

     geoffc at test-dc03: ~ $ klist
     Ticket cache: FILE:/tmp/krb5cc_12823
     Default principal: geoffc at TESTAD2.TRINITY.UNIMELB.EDU.AU

     Valid starting     Expires            Service principal
     04/19/13 10:35:28  04/19/13 20:35:28 
krbtgt/TESTAD2.TRINITY.UNIMELB.EDU.AU at TESTAD2.TRINITY.UNIMELB.EDU.AU
	renew until 04/20/13 10:35:24
     04/19/13 10:35:32  04/19/13 20:35:28 
ldap/dc01.testad2.trinity.unimelb.edu.au at TESTAD2.TRINITY.UNIMELB.EDU.AU


I cannot use the resulting ticket to
connect:

     geoffc at test-dc03: ~ $ /usr/local/samba/bin/ldbsearch -H 
ldap://localhost -k yes  'CN=IT'
     Failed to bind - LDAP client internal error: 
NT_STATUS_INVALID_PARAMETER
     Failed to connect to 'ldap://localhost' with backend 'ldap': (null)
     Failed to connect to ldap://localhost - (null)

Anyone know what's going on? This email may look familiar, Steve 
reported the same issue last July, 
https://lists.samba.org/archive/samba/2012-July/168315.html. This isn't 
the problem that Zach was talking about in 
https://lists.samba.org/archive/samba/2012-November/169941.html, as I'm 
not using an IP address in the url.

Cheers,
Geoff


More information about the samba mailing list