[Samba] ldap+kerberos+samba

Friedrich Locke friedrich.locke at gmail.com
Tue Feb 19 04:26:02 MST 2013 

Here you have them:

http://sioux.geekisp.com/smb.conf
http://sioux.geekisp.com/smbldap.conf
http://sioux.geekisp.com/smbldap_bind.conf

Thank you a lot for your time and cooperation.

Regards.

On Mon, Feb 18, 2013 at 8:45 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2013-02-18 at 16:52 -0300, Friedrich Locke wrote:
>> Dear list members,
>>
>> i am trying to get ldap + samba + kerberos working and have tried to
>> make the proper configuration.
>> Integrating samba + ldap was pretty easy, but getting kerberos to work
>> seems a nightmare.
>>
>> Here it is what i tried (copy and pasted from my link client):
>>
>> harley at 802-1x:/etc/samba$ kdestroy
>> harley at 802-1x:/etc/samba$ kinit
>> harley at UFV.BR's Password:
>> harley at 802-1x:/etc/samba$ klist
>> Credentials cache: FILE:/tmp/krb5cc_1000
>>         Principal: harley at UFV.BR
>>
>>   Issued                Expires               Principal
>> Feb 18 15:53:33 2013  Feb 18 19:53:33 2013  krbtgt/UFV.BR at UFV.BR
>> harley at 802-1x:/etc/samba$ smbclient //802-1x.cpd.ufv.br/printers -k
>> session setup failed: NT_STATUS_LOGON_FAILURE
>> harley at 802-1x:/etc/samba$ klist
>> Credentials cache: FILE:/tmp/krb5cc_1000
>>         Principal: harley at UFV.BR
>>
>>   Issued                Expires               Principal
>> Feb 18 15:53:33 2013  Feb 18 19:53:33 2013  krbtgt/UFV.BR at UFV.BR
>> Feb 18 15:53:44 2013  Feb 18 19:53:33 2013  cifs/802-1x.cpd.ufv.br at UFV.BR
>> harley at 802-1x:/etc/samba$
>>
>>
>>
>> We can realize that smbclient is fetching the ticket to cifs service.
>> But why NT_STATUS_LOGON_FAILURE ?
>> Nothing appears on smbd logs.
>
> How is samba connected to the krb5 realm?  What configuration options
> have you set to make it use a keytab?
>
> That all said, this kind of frustration is why I worked so hard on Samba
> 4.0 as an AD DC, because it provides the server-side integration of
> LDAP, Kerberos and the Domain protocols that allow Samba and windows
> member servers to join it, and for it to 'just work'.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>

More information about the samba mailing list