2011-12-29 12:56 keltezéssel, steve írta: > On 29/12/11 11:58, Gémes Géza wrote: >> 2011-12-29 10:11 keltezéssel, steve írta: >>> On 29/12/11 10:00, steve wrote: >>>> On 28/12/11 21:59, Bernd Markgraf wrote: >>>>>> You should create a user in AD for nss-ldap and extract a keytab >>>>>> for it >>>>>> (samba-tool domain exportkeytab --principal=....) and configure >>>>>> nss-ldap >>>>>> to use that keytab for authenticating. Most probably you aren't >>>>>> allowed >>>>>> to bind anonymously to your AD server (you can try with >>>>>> ldapsearch -x) >>>>> LDAP works with an anonymous bind. You need the Kerberos keytab for >>>>> authentication though. >>>>> >>>> steve@hh3:~> ldapsearch -x >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base<DC=hh3,DC=site> (default) with scope subtree >>>> # filter: (objectclass=*) >>>> # requesting: ALL >>>> # >>>> >>>> # search result >>>> search: 2 >>>> result: 1 Operations error >>>> text: 00002020: Operation unavailable without authentication >>>> >>>> # numResponses: 1 >>>> >>>> >>>> >>>> I found this usage: >>>> >>>> samba-tool export keytab PATH_TO_KEYTAB >>>> >>>> How can I find my PATH_TO_KEYTAB >>>> ? >>>> Thanks >>> Can't get the syntax right: >>> >>> samba-tool domain exportkeytab /var/lib/named/master --principal >>> >>> Usage: samba-tool domain exportkeytab<keytab> [options] >>> >>> samba-tool domain exportkeytab: error: --principal option requires an >>> argument >>> >> samba-tool domain exportkeytab >> /path/to/the/keytab/file/you/want/to/create/or/update >> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract >> >> >> Regards >> >> Geza > Tried: > samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 > > restarted samba but: > > su steve4 > su: user steve4 does not exist > > Am I getting close or should I give up now?! > > Steve > > > You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html
Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
