2012-01-12 11:16 keltezéssel, steve írta: > On 12/01/12 08:49, Andrew Bartlett wrote: >> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote: >>> 2012-01-11 23:48 keltezéssel, steve írta: >>>> Hi >>>> After starting Samba 4, before anyone can do anything, Administrator >>>> has to do a kinit to get a new ticket. This creates a cache >>>> /tmp/krb5cc_0 with an expiry time. >>>> >>>> I've created a host principal and put it into the keytab: >>>> samba-tool spn add host someuser >>>> samba-tool domain exportkeytab /etc/krb5.keytab >>>> --principal=host/HH3.SITE >>>> >>>> How can I keep Samba 4 up without having to get a new Administrator >>>> ticket every 10 hours? >>>> >>>> Thanks, >>>> Steve >>>> >>>> >>> That looks really strange. >> Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to >> operate. It creates it's own internal credentials cache when required >> using the machine account password. >> >> Something else is going on here. >> >> Andrew Bartlett >> > Hi > Yes, I'm sorry. There is something else. I was trying to keep the post > short. > > I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux > users using nslcd so that when they login and be placed in heir /home > directory, have the correct uid:gid etc. > > grep -v "#" /etc/nslcd.conf > uid root > gid root > uri ldap://127.0.0.1/ > base dc=hh3,dc=site > binddn cn=Administrator,cn=Users,dc=hh3,dc=site > bindpw AbcD@123 > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map shadow uid sAMAccountName > sasl_mech GSSAPI > sasl_realm HH3.SITE > #krb5_ccname /tmp/krb5cc_0 > > Without /tmp/krb5cc_0, getent passwd does not work and Linux users are > not mapped to their /home directory, shell etc. > > My full method is here: > http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html > > > You mention that Samba 4 creates it's cache as needed. Could you tell > me if that is a file I could access? At the moment, nslcd looks at > /tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line > which could point to another cache file. I had and still have, that > line commented out to see what the default was. > > Thanks so much for your patience. > Steve. > The problem then is not samba related at all. It is nslcd at culprit then?
I would suggest a differently configured nslcd then. First create an account named something like: accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-) then extract a keytab for it: samba-tool domain exportkeytab --principal=thepreviouslycreatedprincipalwithatterriblyboringname /path/to/the/keytab/file/to/be/created Then following some guide like: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html configure nslcd to do kerberized lookup against the Samba4 LDAP service. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
