2012-01-18 12:12 keltezéssel, steve írta: > On 01/17/2012 09:40 PM, Gémes Géza wrote: >> Hi, >> >> See comments inline: >>> Hi everyone >>> >>> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the >>> moment, I authenticate by specifying the binddn and password in >>> /etc/nslcd.conf and all works fine >>> >>> If I add the line: >>> sasl_mech GSSAPI >> That should suffice, but please note, that nslcd should also have access >> to some kind of keytab, to authenticate itself. >> This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is >> looking like): >> >> # Defaults for nslcd init script >> >> # Whether to start k5start (for obtaining and keeping a Kerberos ticket) >> # By default k5start is started if nslcd.conf has sasl_mech set to >> GSSAPI >> # and krb5_ccname is set to a file-type ticket cache. >> # Set to "yes" to force starting k5start, any other value will not start >> # k5start. >> K5START_START="yes" >> >> # Options for k5start. >> K5START_BIN=/usr/bin/k5start >> K5START_KEYTAB=/etc/krb5.keytab >> K5START_CCREFRESH=60 >> K5START_PRINCIPAL="host/$(hostname -f)" >> >> And must have k5start installed (it is wrapper which keeps fresh tickets >> for long runing services) >>> to /etc/nslcd.conf >>> and restart nslcd, no one can connect to the database. Nothing works. >>> ldapsearch and getent passwd draw a blank. >>> >>> ldapsearch -x -b '' -sbase supportedSASLMechanisms >>> >>> gives me: >>> >>> dn: >>> supportedSASLMechanisms: GSS-SPNEGO >>> supportedSASLMechanisms: GSSAPI >>> supportedSASLMechanisms: NTLM >>> >>> but ldapsearch -Y GSSAPI gives: >>> SASL/GSSAPI authentication started >>> ldap_sasl_interactive_bind_s: Local error (-2) >>> additional info: SASL(-1): generic failure: GSSAPI Error: >>> Unspecified GSS failure. Minor code may provide more information >>> (Server not found in Kerberos database) >>> >> before you can do an SASL/GSSAPI based ldap operation you must have >> valid kerberos tickets (so do a kinit first)! >>> and Samba gives: >>> Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:56859 >>> for ldap/[email protected] [canonicalize, renewable] >>> Kerberos: Searching referral for hh3.site >>> Kerberos: Returning a referral to realm SITE for server >>> ldap/[email protected] that was not found >>> Failed find a single entry for >>> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): >>> got 0 >>> Kerberos: samba_kdc_fetch: could not find principal in DB >>> Kerberos: Server not found in database: krbtgt/[email protected]: no such >>> entry found in hdb >>> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 >>> >>> I've tried making a ldap principal but samba-tool spn doesn't let me >>> add an ldap principal. >>> Any ideas anyone? >>> >>> Thanks, >>> Steve >> Regards >> >> Geza > Hi Geza > > OK. Now on Ubuntu. I have k5init installed and have made a host > principal: > > klist -k /etc/host.keytab > Keytab name: WRFILE:/etc/host.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/[email protected] > 1 host/[email protected] > 1 host/[email protected] > > Just to be sure I have: > ls -la /etc/host.keytab > -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab > > cat /etc/default/nslcd > # Defaults for nslcd init script > > # Whether to start k5start (for obtaining and keeping a Kerberos ticket) > # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI > # and krb5_ccname is set to a file-type ticket cache. > # Set to "yes" to force starting k5start, any other value will not start > # k5start. > K5START_START="yes" > > # Options for k5start. > K5START_BIN=/usr/bin/k5start > K5START_KEYTAB=/etc/host.keytab > K5START_CCREFRESH=60 > #K5START_PRINCIPAL="host/$(hostname -f)" > K5START_PRINCIPAL="host/HH3.SITE -f" > > I did kinit Administrator and have a cache in /tmp/krbcc_0 > > cat /etc/nslcd.conf > uid nslcd > gid nslcd > > uri ldap://127.0.0.1 > > base dc=hh3,dc=site > > binddn cn=Administrator,cn=Users,dc=hh3,dc=site > > map passwd uid sAMAccountName > map passwd homeDirectory unixHomeDirectory > map shadow uid sAMAccountName > > sasl_mech GSSAPI > sasl_realm HH3.SITE > krb5_ccname /tmp/krb5cc_0 > > But: > > service nslcd restart > * Restarting LDAP connection daemon > nslcd [ OK ] > * Stopping Keep alive Kerberos ticket > k5start No process in pidfile > '/var/run/nslcd/k5start_nslcd.pid' found running; none killed. > > [ OK ] > * Starting Keep alive Kerberos ticket > k5start k5start: error getting > credentials: Client not found in Kerberos database > > [fail] > > [ OK ] > > and Samba gives: > Kerberos: AS-REQ host/[email protected] from ipv4:192.168.1.3:38618 > for krbtgt/[email protected] > Kerberos: UNKNOWN -- host/[email protected]: no such entry found in hdb > > Why isn't the host principal being found? > > Ahhgg!! > Where to start? > Any ideas? > Cheers, > Steve > Hi,
First of all /etc/host.keytab shouldn't be writable. But that is a different story. On the other hand kerberos could get confused by having a host principal for the realm name (I've seen your realm is named HH3.SITE and your host principal is host/HH3.SITE). I would create a special nslcd-domain-account and extract the keytab for it, and use that account+keytab. Or if you prefer create a host account for each host you have and extract a keytab for each of them. The example I've sent you uses the second method ($(hostname -f) returns the fqdn (if it is set in /etc/hostname, a common mistake is to have just the first part set in that file). Another possible error sources could be: K5START_PRINCIPAL="host/HH3.SITE -f" <- You definitely don't need a -f there! I wouldn't use a binddn with an sasl bind. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
