[Samba] lost with AD auth

me at electronico.nc me at electronico.nc
Fri Oct 25 19:08:53 MDT 2013 

Hi all,

Well, I'm completely lost with AD authentification ...

server is :
Ubuntu 12.04.3 3.8.0-32-generic #47~precise1-Ubuntu
Samba 4.0.10 installed (and upgraded) via git, setup as unique Active 
Directory Domain Controller
( -> how to upgrade to 4.1 via git ?? )

I 'just' would like that the local services (let's say only dovecot and 
postfix) can query AD to authentifiate users.

All services are running on the Ubuntu server (samba AD/DC), no other 
linux box for now.

1 Windows VM has been setup on server to make AD tasks using 
Administrator account.

Trying to use nslcd + kerberos :

created a user in AD:
samba-tool user add ldap My_secret_password
samba-tool user setexpiry ldap --noexpiry

created spn and exported keytab:
samba-tool spn add nslcd/serveur.radiodjiido.nc ldap
samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap
chown nslcd:root /etc/krb5.nslcd.keytab
chmod 600 /etc/krb5.nslcd.keytab

configured nslcd:
grep ^[^#] /etc/nslcd.conf
->
uid nslcd
gid nslcd
uri ldap://serveur.radiodjiido.nc
base DC=radiodjiido,DC=nc
map    passwd    uid    samAccountName
map    passwd    homeDirectory    unixHomeDirectory
map     passwd    gecos    displayName
map     passwd    gidNumber    primaryGroupID
sasl_mech GSSAPI
sasl_realm RADIODJIIDO.NC
krb5_ccname /tmp/nslcd.tkt

checking that k5start is well running:
ps ax | grep k5
->
2956 pts/1    T      0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o 
nslcd -K 540 -k /tmp/nslcd.tkt

klist
->
Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
Default principal: serveur at RADIODJIIDO.NC
Valid starting       Expires              Service principal
26/10/2013 10:11:34  26/10/2013 20:11:34 
krbtgt/RADIODJIIDO.NC at RADIODJIIDO.NC
     renew until 27/10/2013 10:11:34

grep ^[^#] /etc/krb5.conf
->
[libdefaults]
     default_realm = RADIODJIIDO.NC
     krb4_config = /etc/krb.conf
     krb4_realms = /etc/krb.realms
     kdc_timesync = 1
     ccache_type = 4
     forwardable = true
     proxiable = true
     v4_instance_resolve = false
     v4_name_convert = {
         host = {
             rcmd = host
             ftp = ftp
         }
         plain = {
             something = something-else
         }
     }
     fcc-mit-ticketflags = true
[realms]
     RADIODJIIDO.NC = {
         kdc = serveur
         admin_server = serveur
     }
[domain_realm]
     .radiodjiido.nc = RADIODJIIDO.NC
     radiodjiido.nc = RADIODJIIDO.NC
[login]
     krb4_convert = true
     krb4_get_tickets = false

syslog shows :
->
Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca] 
<passwd="radiodjiido\administrator"> failed to bind to LDAP server 
ldap://serveur.radiodjiido.nc: Local error
Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca] 
<passwd="radiodjiido\administrator"> no available LDAP server found: 
Local error
Oct 26 11:09:36 serveur nslcd[2978]: [90700b] 
<passwd="RADIODJIIDO\Administrator"> no available LDAP server found: 
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [014acb] 
<passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server found: 
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [5e7fd0] 
<passwd="radiodjiido\administrator"> no available LDAP server found: 
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [8a3148] 
<passwd="RADIODJIIDO\Administrator"> no available LDAP server found: 
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [9d0247] 
<passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server found: 
Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data"> 
failed to bind to LDAP server ldap://serveur.radiodjiido.nc: Local error
Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data"> 
no available LDAP server found: Local error
Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data"> 
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [c296bd] <group/member="www-data"> 
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [c296bd] <group/member="www-data"> 
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [8e121f] <group/member="serveur"> 
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [8e121f] <group/member="serveur"> 
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23] <group/member="ntp"> no 
available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23] <group/member="ntp"> no 
available LDAP server found: Server is unavailable
Oct 26 11:11:36 serveur nslcd[2978]: [1e3f1e] 
<passwd="radiodjiido\serveur-7-pc$"> no available LDAP server found: 
Server is unavailable
Oct 26 11:11:36 serveur nslcd[2978]: [c79ea8] 
<passwd="RADIODJIIDO\SERVEUR-7-PC$"> no available LDAP server found: 
Server is unavailable

getent passwd
->
only lists Linux users

Could someone, please assist ? I'm really lost ...
Thanks in advance for your time.
Nicolas

More information about the samba mailing list