On 18/01/12 04:54, Andrew Bartlett wrote:
On Sun, 2012-01-15 at 14:49 +0100, steve wrote:
Hi everyone
Version 4.0.0alpha18-GIT-bfc7481
I'm using nslcd to map Samba 4 users to uid:gid and home directory. At
startup I get this:
Why are you not using nss_winbind?
I know the Samba4 winbindd (started as a component of 'samba') isn't in
great shape, but it is the only way to get at the correct id mapping at
the moment.
There are many requests to get the UID/GID number back into LDAP (it
once was!), but we haven't done that work yet. Part of the issue is
what to do when we need to allocate a new UID, as Microsoft's
implementation has no allocation procedure to use as a pattern.
Andrew Bartlett
Hi
I'm using nslcd because I'm using nfs4 as a file server and because it
just works. I've added the uid:gid, home directory and shell to each
samba 4 user and nslcd is mapping them fine. Linux and win 7 domain
machines can read and write the shares from the samba 4 smb.conf just
fine. We can work logged onto a Linux or win 7 box.
The point I'm stuck on is getting the Samba 4 kerberos to authenticate
to the Samba 4 LDAP. I can connect by specifying the binnddn and
password in nslcd.conf but it seems as though GSSAPI cannot find the
ldap principal. But samba will not let me make a principal:
samba-tool spn add ldap host-account
hh3:/home/steve # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/HH3.SITE
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
and the error on trying to connect:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:54046 for
ldap/[email protected] [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/[email protected] that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/[email protected]: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:54046
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:34450 for
krbtgt/[email protected] [renewable]
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/[email protected]: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:34450
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Question: how do I create a ldap principal for the realm HH3.SITE? I'm
on openSUSE 12.1
Thanks for your time and patience,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
