On Thu, 2012-01-19 at 18:35 +0100, Gémes Géza wrote: > > > Progress: > > klist -k /etc/krb5.keytab | grep host-account > > 1 [email protected] > > 1 [email protected] > > 1 [email protected] > > > > cat /etc/default/nslcd > > K5START_START="yes" > > # Options for k5start. > > K5START_BIN=/usr/bin/k5start > > K5START_KEYTAB=/etc/krb5.keytab > > K5START_CCREFRESH=60 > > K5START_PRINCIPAL="[email protected]" > > > > service nslcd restart > > Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:49240 for > > krbtgt/[email protected] > > Kerberos: Client sent patypes: 149 > > Kerberos: Looking for PKINIT pa-data -- [email protected] > > Kerberos: Looking for ENC-TS pa-data -- [email protected] > > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > > [email protected] > > Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:35595 for > > krbtgt/[email protected] > > Kerberos: Client sent patypes: encrypted-timestamp, 149 > > Kerberos: Looking for PKINIT pa-data -- [email protected] > > Kerberos: Looking for ENC-TS pa-data -- [email protected] > > Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] > > using arcfour-hmac-md5 > > Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset > > endtime: 2012-01-19T21:19:01 renew till: unset > > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > > aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using > > arcfour-hmac-md5/arcfour-hmac-md5 > > Kerberos: Requested flags: renewable-ok > > > > service nslcd restart > > * Restarting LDAP connection daemon > > nslcd [ OK ] > > * Stopping Keep alive Kerberos ticket > > k5start [ OK ] > > * Starting Keep alive Kerberos ticket > > k5start [ OK ] > > > > getent passwd > > syslog gives: > > Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP > > server ldap://hh3.hh3.site: Unknown authentication method: Operation > > now in progress > > Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found > > samba gives: > > ldb_wrap open of secrets.ldb > > Terminating connection - 'ldapsrv_call_loop: > > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > > > > The only way I can bind is by removing the sasl_mech GSSAPI and giving > > the binddn and bindpw in /etc/nslcd.conf > > > > 'So I'm stuck with 'Unknown authentication method'. Are we sure that > > nslcd can bind using Kerbreros? > > > > Thanks for your patience, > > Steve > Hi, > > Even if you are scared of death of samba-technical I'm posting it there > as well, maybe someone can answer the questions which arise when I tried > to check out your use case. > So I've tried first: > # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI > > gives: > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 > SASL data security layer installed. > No such object (32) > Additional information: empty base DN at > ../source4/dsdb/samdb/ldb_modules/partition.c:617
The issue appears to be related to there being not 'base dn' being specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'. This behaviour may not match windows - if you can test against that, please let us know the difference and we can sort it out. Base DN specification and defaults changed mid last year. > and > > # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 > SASL data security layer installed. > ldap_parse_result: Protocol error (2) > additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not > supported > Result: Protocol error (2) > Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported > > So the question is does the Samba4 LDAP server support SASL/GSSAPI based > binding? We support SASL/GSSAPI. We do not (patches very welcome) currently support the extended operation ldapwhoami uses. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
