On 13/01/12 04:37, steve wrote:
On 13/01/12 03:06, steve wrote:
On 12/01/12 19:53, Gémes Géza wrote:
2012-01-12 11:16 keltezéssel, steve írta:
On 12/01/12 08:49, Andrew Bartlett wrote:
On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
2012-01-11 23:48 keltezéssel, steve írta:
Hi
After starting Samba 4, before anyone can do anything,
Administrator
has to do a kinit to get a new ticket. This creates a cache
/tmp/krb5cc_0 with an expiry time.
I've created a host principal and put it into the keytab:
samba-tool spn add host someuser
samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/HH3.SITE
How can I keep Samba 4 up without having to get a new Administrator
ticket every 10 hours?
Thanks,
Steve
That looks really strange.
Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
operate. It creates it's own internal credentials cache when
required
using the machine account password.
Something else is going on here.
Andrew Bartlett
Hi
Yes, I'm sorry. There is something else. I was trying to keep the post
short.
I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
users using nslcd so that when they login and be placed in heir /home
directory, have the correct uid:gid etc.
grep -v "#" /etc/nslcd.conf
uid root
gid root
uri ldap://127.0.0.1/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw AbcD@123
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
not mapped to their /home directory, shell etc.
My full method is here:
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
You mention that Samba 4 creates it's cache as needed. Could you tell
me if that is a file I could access? At the moment, nslcd looks at
/tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line
which could point to another cache file. I had and still have, that
line commented out to see what the default was.
Thanks so much for your patience.
Steve.
The problem then is not samba related at all. It is nslcd at culprit
then?
I would suggest a differently configured nslcd then.
First create an account named something like:
accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
then extract a keytab for it:
samba-tool domain exportkeytab
--principal=thepreviouslycreatedprincipalwithatterriblyboringname
/path/to/the/keytab/file/to/be/created
Then following some guide like:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
configure nslcd to do kerberized lookup against the Samba4 LDAP
service.
Regards
Geza
Hi Geza
How about this:
samba-tool user add boring-nslcd-account
samba tool spn add host boring-nslcd-account
samba-tool samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/HH3.SITE
Then this:
/etc/nslcd.conf
uri ldap://192.168.1.3/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw BCa@7aBC
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Does that make sense?
Thanks
Steve
OK
Disaster. New build from git checkout today.
klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 [email protected]
1 host/[email protected]
1 host/[email protected]
1 host/[email protected]
getent passwd gives:
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:45733
for krbtgt/[email protected] [renewable]
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/[email protected]: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:45733
The krbtgt/[email protected] looks bad.
/var/log/messages gives:
Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] failed to bind to LDAP
server ldap://127.0.0.1/: Can't contact LDAP server: Transport
endpoint is not connected
Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] no available LDAP server found
Jan 13 04:30:45 hh3 nslcd[4606]: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in
Kerberos database)
Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] failed to bind to LDAP
server ldap://127.0.0.1/: Local error
Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] no available LDAP server found
Any ideas here? Where can I start to look? Thanks for your patience.
Steve
OK
Getting somewhere. I've got rid of the Kerberos: Server not found in
database: krbtgt/[email protected] error.
Now samba 4 is giving me this:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
and /var/log/messages this:
Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache permissions
incorrect)
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
ldap://localhost: Local error
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
Finally got the new git working. Something must have changed since the
last checkout I used because I had to comment out the:
sasl_mech GSSAPI
in /etc/nslcd.conf
I now have this:
grep -v "#" /etc/nslcd.conf
uid nslcd-user
gid nslcd-user
uri ldap://localhost
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw 12345678
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
#sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
I have made a linux user and group called nslcd-user to run nslcd. I
have also made a samba 4 user called nslcd-user and made a host
principal with him and exported that to the keytab. However, I'm back at
the same problem. How do I give the nslcd-user a ticket that nslcd can
use? I can use kinit and get a ticket cache for nslcd-user, but it only
lasts for 10 hours. In the docs you referenced, the guy says:
'I have setup a real user that the daemon will run as, and have given
that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
krb5_ccname /var/run/nslcd/nslcd.tkt
How has the guy 'given that user a valid kerberos tgt'?
IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put in
/var/run/nslcd ?????
Its been a long night!
Cheers
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
