On 01/15/2012 04:04 PM, Michael Wood wrote:
On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
On 14/01/12 03:19, Michael Wood wrote:
On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
[...]
drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
-rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
That's fine, but is that what nslcd is using?
Ah. Well spotted! The nslcd docs recommends you run it as a separate user,
so I created a user and group for nslcd and specified them in nslcd.conf.
nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
that correct? (can't test it as am not by the DC at the moment)
Sounds likely.
So you probably need to export a keytab for your nslcd principal to a
new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
has permission to read it. No other user should have read access.
The problem is that I can't have a principal for nslcd. IOW I can't do this:
samba-tool spn add nslcd some-user
I could do this
samba-tool spn add host someuser
but already have a host principal added to the main keytab.
I keep coming back to this. I can have a principal for host and I can
have a principal for nfs but I can't have a principal for nslcd. Even
tough /etc/nslcd.conf allows me to add a kerberos realm, is that good
enough?
Anyway, I've a 10 hour experiment in progress as on the other thread.
Fingers crossed!
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
