> Progress: > klist -k /etc/krb5.keytab | grep host-account > 1 [email protected] > 1 [email protected] > 1 [email protected] > > cat /etc/default/nslcd > K5START_START="yes" > # Options for k5start. > K5START_BIN=/usr/bin/k5start > K5START_KEYTAB=/etc/krb5.keytab > K5START_CCREFRESH=60 > K5START_PRINCIPAL="[email protected]" > > service nslcd restart > Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:49240 for > krbtgt/[email protected] > Kerberos: Client sent patypes: 149 > Kerberos: Looking for PKINIT pa-data -- [email protected] > Kerberos: Looking for ENC-TS pa-data -- [email protected] > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > [email protected] > Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:35595 for > krbtgt/[email protected] > Kerberos: Client sent patypes: encrypted-timestamp, 149 > Kerberos: Looking for PKINIT pa-data -- [email protected] > Kerberos: Looking for ENC-TS pa-data -- [email protected] > Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] > using arcfour-hmac-md5 > Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset > endtime: 2012-01-19T21:19:01 renew till: unset > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using > arcfour-hmac-md5/arcfour-hmac-md5 > Kerberos: Requested flags: renewable-ok > > service nslcd restart > * Restarting LDAP connection daemon > nslcd [ OK ] > * Stopping Keep alive Kerberos ticket > k5start [ OK ] > * Starting Keep alive Kerberos ticket > k5start [ OK ] > > getent passwd > syslog gives: > Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP > server ldap://hh3.hh3.site: Unknown authentication method: Operation > now in progress > Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found > samba gives: > ldb_wrap open of secrets.ldb > Terminating connection - 'ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > > The only way I can bind is by removing the sasl_mech GSSAPI and giving > the binddn and bindpw in /etc/nslcd.conf > > 'So I'm stuck with 'Unknown authentication method'. Are we sure that > nslcd can bind using Kerbreros? > > Thanks for your patience, > Steve Hi,
Even if you are scared of death of samba-technical I'm posting it there as well, maybe someone can answer the questions which arise when I tried to check out your use case. So I've tried first: # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI gives: SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. No such object (32) Additional information: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:617 and # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported Result: Protocol error (2) Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported So the question is does the Samba4 LDAP server support SASL/GSSAPI based binding? Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
