[Samba] lost with AD auth
me at electronico.nc
me at electronico.nc
Fri Oct 25 19:08:53 MDT 2013
Hi all,
Well, I'm completely lost with AD authentification ...
server is :
Ubuntu 12.04.3 3.8.0-32-generic #47~precise1-Ubuntu
Samba 4.0.10 installed (and upgraded) via git, setup as unique Active
Directory Domain Controller
( -> how to upgrade to 4.1 via git ?? )
I 'just' would like that the local services (let's say only dovecot and
postfix) can query AD to authentifiate users.
All services are running on the Ubuntu server (samba AD/DC), no other
linux box for now.
1 Windows VM has been setup on server to make AD tasks using
Administrator account.
Trying to use nslcd + kerberos :
created a user in AD:
samba-tool user add ldap My_secret_password
samba-tool user setexpiry ldap --noexpiry
created spn and exported keytab:
samba-tool spn add nslcd/serveur.radiodjiido.nc ldap
samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap
chown nslcd:root /etc/krb5.nslcd.keytab
chmod 600 /etc/krb5.nslcd.keytab
configured nslcd:
grep ^[^#] /etc/nslcd.conf
->
uid nslcd
gid nslcd
uri ldap://serveur.radiodjiido.nc
base DC=radiodjiido,DC=nc
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd gidNumber primaryGroupID
sasl_mech GSSAPI
sasl_realm RADIODJIIDO.NC
krb5_ccname /tmp/nslcd.tkt
checking that k5start is well running:
ps ax | grep k5
->
2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o
nslcd -K 540 -k /tmp/nslcd.tkt
klist
->
Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
Default principal: serveur at RADIODJIIDO.NC
Valid starting Expires Service principal
26/10/2013 10:11:34 26/10/2013 20:11:34
krbtgt/RADIODJIIDO.NC at RADIODJIIDO.NC
renew until 27/10/2013 10:11:34
grep ^[^#] /etc/krb5.conf
->
[libdefaults]
default_realm = RADIODJIIDO.NC
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
RADIODJIIDO.NC = {
kdc = serveur
admin_server = serveur
}
[domain_realm]
.radiodjiido.nc = RADIODJIIDO.NC
radiodjiido.nc = RADIODJIIDO.NC
[login]
krb4_convert = true
krb4_get_tickets = false
syslog shows :
->
Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca]
<passwd="radiodjiido\administrator"> failed to bind to LDAP server
ldap://serveur.radiodjiido.nc: Local error
Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca]
<passwd="radiodjiido\administrator"> no available LDAP server found:
Local error
Oct 26 11:09:36 serveur nslcd[2978]: [90700b]
<passwd="RADIODJIIDO\Administrator"> no available LDAP server found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [014acb]
<passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [5e7fd0]
<passwd="radiodjiido\administrator"> no available LDAP server found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [8a3148]
<passwd="RADIODJIIDO\Administrator"> no available LDAP server found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [9d0247]
<passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server found:
Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data">
failed to bind to LDAP server ldap://serveur.radiodjiido.nc: Local error
Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data">
no available LDAP server found: Local error
Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [c296bd] <group/member="www-data">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [c296bd] <group/member="www-data">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [8e121f] <group/member="serveur">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [8e121f] <group/member="serveur">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23] <group/member="ntp"> no
available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23] <group/member="ntp"> no
available LDAP server found: Server is unavailable
Oct 26 11:11:36 serveur nslcd[2978]: [1e3f1e]
<passwd="radiodjiido\serveur-7-pc$"> no available LDAP server found:
Server is unavailable
Oct 26 11:11:36 serveur nslcd[2978]: [c79ea8]
<passwd="RADIODJIIDO\SERVEUR-7-PC$"> no available LDAP server found:
Server is unavailable
getent passwd
->
only lists Linux users
Could someone, please assist ? I'm really lost ...
Thanks in advance for your time.
Nicolas
More information about the samba
mailing list