On 12/01/12 19:53, Gémes Géza wrote:
2012-01-12 11:16 keltezéssel, steve írta:
On 12/01/12 08:49, Andrew Bartlett wrote:
On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
2012-01-11 23:48 keltezéssel, steve írta:
Hi
After starting Samba 4, before anyone can do anything, Administrator
has to do a kinit to get a new ticket. This creates a cache
/tmp/krb5cc_0 with an expiry time.
I've created a host principal and put it into the keytab:
samba-tool spn add host someuser
samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/HH3.SITE
How can I keep Samba 4 up without having to get a new Administrator
ticket every 10 hours?
Thanks,
Steve
That looks really strange.
Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
operate. It creates it's own internal credentials cache when required
using the machine account password.
Something else is going on here.
Andrew Bartlett
Hi
Yes, I'm sorry. There is something else. I was trying to keep the post
short.
I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
users using nslcd so that when they login and be placed in heir /home
directory, have the correct uid:gid etc.
grep -v "#" /etc/nslcd.conf
uid root
gid root
uri ldap://127.0.0.1/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw AbcD@123
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
not mapped to their /home directory, shell etc.
My full method is here:
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
You mention that Samba 4 creates it's cache as needed. Could you tell
me if that is a file I could access? At the moment, nslcd looks at
/tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
which could point to another cache file. I had and still have, that
line commented out to see what the default was.
Thanks so much for your patience.
Steve.
The problem then is not samba related at all. It is nslcd at culprit then?
I would suggest a differently configured nslcd then.
First create an account named something like:
accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
then extract a keytab for it:
samba-tool domain exportkeytab
--principal=thepreviouslycreatedprincipalwithatterriblyboringname
/path/to/the/keytab/file/to/be/created
Then following some guide like:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
configure nslcd to do kerberized lookup against the Samba4 LDAP service.
Regards
Geza
Hi Geza
How about this:
samba-tool user add boring-nslcd-account
samba tool spn add host boring-nslcd-account
samba-tool samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/HH3.SITE
Then this:
/etc/nslcd.conf
uri ldap://192.168.1.3/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw BCa@7aBC
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Does that make sense?
Thanks
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
