[Samba] lost with AD auth
me at electronico.nc
me at electronico.nc
Mon Oct 28 01:11:42 MDT 2013
Le 26/10/2013 18:24, steve a écrit :
> On Sat, 2013-10-26 at 12:08 +1100, me at electronico.nc wrote:
>> Hi all,
>>
>> Well, I'm completely lost with AD authentification ...
>>
>> server is :
>> Ubuntu 12.04.3 3.8.0-32-generic #47~precise1-Ubuntu
>> Samba 4.0.10 installed (and upgraded) via git, setup as unique Active
>> Directory Domain Controller
>> ( -> how to upgrade to 4.1 via git ?? )
>>
>> I 'just' would like that the local services (let's say only dovecot and
>> postfix) can query AD to authentifiate users.
>>
>> All services are running on the Ubuntu server (samba AD/DC), no other
>> linux box for now.
>>
>> 1 Windows VM has been setup on server to make AD tasks using
>> Administrator account.
>>
>> Trying to use nslcd + kerberos :
> Who are the users you wish to authenticate? According to the following,
> they are domain users who have their rfc2307 attributes stored in AD. Is
> this the case?
>
>> created a user in AD:
>> samba-tool user add ldap My_secret_password
>> samba-tool user setexpiry ldap --noexpiry
>>
>> created spn and exported keytab:
>> samba-tool spn add nslcd/serveur.radiodjiido.nc ldap
> Remove this sp. nslcd is not a service.
>
>> samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap
>> chown nslcd:root /etc/krb5.nslcd.keytab
>> chmod 600 /etc/krb5.nslcd.keytab
>>
>> configured nslcd:
>> grep ^[^#] /etc/nslcd.conf
>> ->
>> uid nslcd
>> gid nslcd
>> uri ldap://serveur.radiodjiido.nc
>> base DC=radiodjiido,DC=nc
>> map passwd uid samAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map passwd gecos displayName
>> map passwd gidNumber primaryGroupID
>> sasl_mech GSSAPI
>> sasl_realm RADIODJIIDO.NC
>> krb5_ccname /tmp/nslcd.tkt
>>
>> checking that k5start is well running:
>> ps ax | grep k5
>> ->
>> 2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o
>> nslcd -K 540 -k /tmp/nslcd.tkt
>>
>> klist
>> ->
>> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
>> Default principal: serveur at RADIODJIIDO.NC
>> Valid starting Expires Service principal
>> 26/10/2013 10:11:34 26/10/2013 20:11:34
>> krbtgt/RADIODJIIDO.NC at RADIODJIIDO.NC
>> renew until 27/10/2013 10:11:34
>>
>> grep ^[^#] /etc/krb5.conf
>> ->
> Does /tmp/nslcd.tkt exist after you start nslcd?
>
> Please use the krb5.conf file that was produced by the samba4 provision.
> It can be found in /usr/local/samba/private/krb5.conf
>
>> [libdefaults]
>> default_realm = RADIODJIIDO.NC
>> krb4_config = /etc/krb.conf
>> krb4_realms = /etc/krb.realms
>> kdc_timesync = 1
>> ccache_type = 4
>> forwardable = true
>> proxiable = true
>> v4_instance_resolve = false
>> v4_name_convert = {
>> host = {
>> rcmd = host
>> ftp = ftp
>> }
>> plain = {
>> something = something-else
>> }
>> }
>> fcc-mit-ticketflags = true
>> [realms]
>> RADIODJIIDO.NC = {
>> kdc = serveur
>> admin_server = serveur
>> }
>> [domain_realm]
>> .radiodjiido.nc = RADIODJIIDO.NC
>> radiodjiido.nc = RADIODJIIDO.NC
>> [login]
>> krb4_convert = true
>> krb4_get_tickets = false
>>
>> syslog shows :
>> ->
>> Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca]
>> <passwd="radiodjiido\administrator"> failed to bind to LDAP server
>> ldap://serveur.radiodjiido.nc: Local error
>> Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca]
>> <passwd="radiodjiido\administrator"> no available LDAP server found:
>> Local error
>> Oct 26 11:09:36 serveur nslcd[2978]: [90700b]
>> <passwd="RADIODJIIDO\Administrator"> no available LDAP server found:
>> Server is unavailable
>> Oct 26 11:09:36 serveur nslcd[2978]: [014acb]
>> <passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server found:
>> Server is unavailable
>> Oct 26 11:09:36 serveur nslcd[2978]: [5e7fd0]
>> <passwd="radiodjiido\administrator"> no available LDAP server found:
>> Server is unavailable
>> Oct 26 11:09:36 serveur nslcd[2978]: [8a3148]
>> <passwd="RADIODJIIDO\Administrator"> no available LDAP server found:
>> Server is unavailable
>> Oct 26 11:09:36 serveur nslcd[2978]: [9d0247]
>> <passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server found:
>> Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data">
>> failed to bind to LDAP server ldap://serveur.radiodjiido.nc: Local error
>> Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data">
>> no available LDAP server found: Local error
>> Oct 26 11:11:32 serveur nslcd[2978]: [b94764] <group/member="www-data">
>> no available LDAP server found: Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [c296bd] <group/member="www-data">
>> no available LDAP server found: Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [c296bd] <group/member="www-data">
>> no available LDAP server found: Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [8e121f] <group/member="serveur">
>> no available LDAP server found: Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [8e121f] <group/member="serveur">
>> no available LDAP server found: Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23] <group/member="ntp"> no
>> available LDAP server found: Server is unavailable
>> Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23] <group/member="ntp"> no
>> available LDAP server found: Server is unavailable
>> Oct 26 11:11:36 serveur nslcd[2978]: [1e3f1e]
>> <passwd="radiodjiido\serveur-7-pc$"> no available LDAP server found:
>> Server is unavailable
>> Oct 26 11:11:36 serveur nslcd[2978]: [c79ea8]
>> <passwd="RADIODJIIDO\SERVEUR-7-PC$"> no available LDAP server found:
>> Server is unavailable
>>
> Am assuming that DNS is working as per te samba4 howto at:
> http://wiki.samba.org/index.php/Samba4/HOWTO#Testing_DNS
>
> Have you configured pam for kerberos?
>
> That should get us started.
> Cheers,
> Steve
>
>> getent passwd
>> ->
>> only lists Linux users
>>
>> Could someone, please assist ? I'm really lost ...
>> Thanks in advance for your time.
>> Nicolas
>
Thanks Steve for the answer.
I think my system was messed up by too many configuration tries.
I have all started over, compiling with samba 4.1 and re-provision.
I hope it will go this time ;-)
Thanks again and sorry for my late answer.
Nicolas
More information about the samba
mailing list