[Samba] Question on approach to authenticate Linux against Samba4
dahopkins at comcast.net
dahopkins at comcast.net
Fri Jul 26 09:23:33 MDT 2013
Thank you for the help ... seems like almost there but .. short version .. getent passwd doesn't retrieve any information from the samba4 DC. Seems that nslcd tries to use a simple bind and not kerberos but I think I have nslcd.conf set correctly. Rest of story, see below.
>For good measure add the DC to /etc/hosts on the client.
>> Step 6: I already have samba-common, and samba-common-bin (latest for
>> 10.04) installed.
The directions I'm following have two different locations for the ticket cache ... shouldn't make difference as long as I am consistent in specifying where the tickets are located. I also had to install kstart on 10.04
> 10.04 . Did these go in OK?
> sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit
There weren't any errors in the log for installing these. But authentication still isn't working
I can start nslcd and get the warning about sasl_mech and sasl_realm
Starting nslcd from the command line, there is an error concerning /var/run/nslcd/socket but not sure if this is the issue.
nslcd: DEBUG: add_uri(ldap://10.179.2.25/)
nslcd: /etc/nslcd.conf:18: option sasl_mech is currently not fully supported (please report any successes)
nslcd: /etc/nslcd.conf:19: option sasl_realm is currently not fully supported (please report any successes)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(130) done
nslcd: DEBUG: setuid(125) done
nslcd: accepting connections
I can then try getent passwd but that also fails (getent only returns the local accounts) ... nslcd returns the following:
nslcd:  DEBUG: connection from pid=6647 uid=0 gid=0
nslcd:  DEBUG: nslcd_passwd_all()
nslcd:  DEBUG: myldap_search(base="dc=ncs,dc=k12,dc=de,dc=us", filter="(objectClass=posixAccount)")
nslcd:  DEBUG: ldap_initialize(ldap://10.179.2.25/)
nslcd:  DEBUG: ldap_set_rebind_proc()
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd:  DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd:  DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.179.2.25/")
nslcd:  connected to LDAP server ldap://10.179.2.25/
nslcd:  ldap_result() failed: Operations error
I'm going to guess it is the simple bind but I'm not sure how to force use of kerberos. I can get tickets for any valid account, but I am missing something for the authentication. nslcd is using the keytab to get tickets. My pre-existing ldap approach had allowed the simple bind, but how to now change for kerberos?
> > I'd assume I need to uninstall these and install samba4 instead
> >(especially as step 8 is to join the domain).
>No. You only need enough of samba on the client to get the net command
>to join the domain. Any old version of samba will do. What you have is
>more than enough.
Joining the domain works .. net ads info returns:
>net ads info
LDAP server: 10.179.2.25
LDAP server name: ncssamba1.ncs.k12.de.us
Bind Path: dc=NCS,dc=K12,dc=DE,dc=US
LDAP port: 389
Server time: Fri, 26 Jul 2013 10:11:49 EDT
KDC server: 10.179.2.25
Server time offset: 0
In nslcd.conf, I have
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
Note: I'm not sure why the attribute is sAMAccountName instead of samAccountName but that is what is shown if I dump the ldap database via slapcat. Also, I can change passwords as well as all other information using ADUC on a Windows 2008 server without issues. Just can't seem to figure out how to get nslcd to bind correctly.
More information about the samba