Hi, See comments inline: > Hi everyone > > I'm trying to use kerberos to authenticate to Samba 4 ldap. At the > moment, I authenticate by specifying the binddn and password in > /etc/nslcd.conf and all works fine > > If I add the line: > sasl_mech GSSAPI That should suffice, but please note, that nslcd should also have access to some kind of keytab, to authenticate itself. This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is looking like):
# Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. K5START_START="yes" # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.keytab K5START_CCREFRESH=60 K5START_PRINCIPAL="host/$(hostname -f)" And must have k5start installed (it is wrapper which keeps fresh tickets for long runing services) > to /etc/nslcd.conf > and restart nslcd, no one can connect to the database. Nothing works. > ldapsearch and getent passwd draw a blank. > > ldapsearch -x -b '' -sbase supportedSASLMechanisms > > gives me: > > dn: > supportedSASLMechanisms: GSS-SPNEGO > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: NTLM > > but ldapsearch -Y GSSAPI gives: > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Server not found in Kerberos database) > before you can do an SASL/GSSAPI based ldap operation you must have valid kerberos tickets (so do a kinit first)! > and Samba gives: > Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:56859 > for ldap/[email protected] [canonicalize, renewable] > Kerberos: Searching referral for hh3.site > Kerberos: Returning a referral to realm SITE for server > ldap/[email protected] that was not found > Failed find a single entry for > (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): > got 0 > Kerberos: samba_kdc_fetch: could not find principal in DB > Kerberos: Server not found in database: krbtgt/[email protected]: no such > entry found in hdb > Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 > > I've tried making a ldap principal but samba-tool spn doesn't let me > add an ldap principal. > Any ideas anyone? > > Thanks, > Steve Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
