[Samba] Question on approach to authenticate Linux against Samba4

dahopkins at comcast.net dahopkins at comcast.net
Fri Jul 26 14:21:51 MDT 2013 

Since I couldn't get 10.04 to work, I built a server with the base 12.04 install, added the required packages per the documents suggested earlier except I didn't install any samba packages. This has worked and I can now log onto the new server with all the original accounts. I have no idea why 10.04 didn't work except for the warning about sasl not being complete ... 

----- Original Message -----
From: dahopkins at comcast.net 
To: "steve" <steve at steve-ss.com> 
Cc: samba at lists.samba.org 
Sent: Friday, July 26, 2013 11:23:33 AM 
Subject: Re: [Samba] Question on approach to authenticate Linux against Samba4 


Thank you for the help ... seems like almost there but .. short version .. getent passwd doesn't retrieve any information from the samba4 DC. Seems that nslcd tries to use a simple bind and not kerberos but I think I have nslcd.conf set correctly. Rest of story, see below. 

>For good measure add the DC to /etc/hosts on the client. 

Done 

>> Step 6: I already have samba-common, and samba-common-bin (latest for 
>> 10.04) installed. 

The directions I'm following have two different locations for the ticket cache ... shouldn't make difference as long as I am consistent in specifying where the tickets are located. I also had to install kstart on 10.04 

> 10.04 . Did these go in OK? 
> sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit 

There weren't any errors in the log for installing these. But authentication still isn't working 
I can start nslcd and get the warning about sasl_mech and sasl_realm 

Starting nslcd from the command line, there is an error concerning /var/run/nslcd/socket but not sure if this is the issue. 
>nslcd -d 
nslcd: DEBUG: add_uri(ldap://10.179.2.25/) 
nslcd: /etc/nslcd.conf:18: option sasl_mech is currently not fully supported (please report any successes) 
nslcd: /etc/nslcd.conf:19: option sasl_realm is currently not fully supported (please report any successes) 
nslcd: version 0.7.2 starting 
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory 
nslcd: DEBUG: setgroups(0,NULL) done 
nslcd: DEBUG: setgid(130) done 
nslcd: DEBUG: setuid(125) done 
nslcd: accepting connections 

I can then try getent passwd but that also fails (getent only returns the local accounts) ... nslcd returns the following: 

.... 
nslcd: [334873] DEBUG: connection from pid=6647 uid=0 gid=0 
nslcd: [334873] DEBUG: nslcd_passwd_all() 
nslcd: [334873] DEBUG: myldap_search(base="dc=ncs,dc=k12,dc=de,dc=us", filter="(objectClass=posixAccount)") 
nslcd: [334873] DEBUG: ldap_initialize(ldap://10.179.2.25/) 
nslcd: [334873] DEBUG: ldap_set_rebind_proc() 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) 
nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) 
nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.179.2.25/") 
nslcd: [334873] connected to LDAP server ldap://10.179.2.25/ 
nslcd: [334873] ldap_result() failed: Operations error 

I'm going to guess it is the simple bind but I'm not sure how to force use of kerberos. I can get tickets for any valid account, but I am missing something for the authentication. nslcd is using the keytab to get tickets. My pre-existing ldap approach had allowed the simple bind, but how to now change for kerberos? 

> > I'd assume I need to uninstall these and install samba4 instead 
> >(especially as step 8 is to join the domain). 

>No. You only need enough of samba on the client to get the net command 
>to join the domain. Any old version of samba will do. What you have is 
>more than enough. 

Joining the domain works .. net ads info returns: 

>net ads info 
LDAP server: 10.179.2.25 
LDAP server name: ncssamba1.ncs.k12.de.us 
Realm: NCS.K12.DE.US 
Bind Path: dc=NCS,dc=K12,dc=DE,dc=US 
LDAP port: 389 
Server time: Fri, 26 Jul 2013 10:11:49 EDT 
KDC server: 10.179.2.25 
Server time offset: 0 

In nslcd.conf, I have 
map passwd uid sAMAccountName 
map passwd homeDirectory unixHomeDirectory 
sasl_mech GSSAPI 
sasl_realm NCS.K12.DE.US 
krb5_ccname /tmp/nslcd.tkt 

Note: I'm not sure why the attribute is sAMAccountName instead of samAccountName but that is what is shown if I dump the ldap database via slapcat. Also, I can change passwords as well as all other information using ADUC on a Windows 2008 server without issues. Just can't seem to figure out how to get nslcd to bind correctly. 

Sincerely, 
Dave Hopkins 
-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list