2012-01-20 06:03 keltezéssel, Andrew Bartlett írta: > On Thu, 2012-01-19 at 18:35 +0100, Gémes Géza wrote: >>> Progress: >>> klist -k /etc/krb5.keytab | grep host-account >>> 1 [email protected] >>> 1 [email protected] >>> 1 [email protected] >>> >>> cat /etc/default/nslcd >>> K5START_START="yes" >>> # Options for k5start. >>> K5START_BIN=/usr/bin/k5start >>> K5START_KEYTAB=/etc/krb5.keytab >>> K5START_CCREFRESH=60 >>> K5START_PRINCIPAL="[email protected]" >>> >>> service nslcd restart >>> Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:49240 for >>> krbtgt/[email protected] >>> Kerberos: Client sent patypes: 149 >>> Kerberos: Looking for PKINIT pa-data -- [email protected] >>> Kerberos: Looking for ENC-TS pa-data -- [email protected] >>> Kerberos: No preauth found, returning PREAUTH-REQUIRED -- >>> [email protected] >>> Kerberos: AS-REQ [email protected] from ipv4:192.168.1.3:35595 for >>> krbtgt/[email protected] >>> Kerberos: Client sent patypes: encrypted-timestamp, 149 >>> Kerberos: Looking for PKINIT pa-data -- [email protected] >>> Kerberos: Looking for ENC-TS pa-data -- [email protected] >>> Kerberos: ENC-TS Pre-authentication succeeded -- [email protected] >>> using arcfour-hmac-md5 >>> Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset >>> endtime: 2012-01-19T21:19:01 renew till: unset >>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, >>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using >>> arcfour-hmac-md5/arcfour-hmac-md5 >>> Kerberos: Requested flags: renewable-ok >>> >>> service nslcd restart >>> * Restarting LDAP connection daemon >>> nslcd [ OK ] >>> * Stopping Keep alive Kerberos ticket >>> k5start [ OK ] >>> * Starting Keep alive Kerberos ticket >>> k5start [ OK ] >>> >>> getent passwd >>> syslog gives: >>> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP >>> server ldap://hh3.hh3.site: Unknown authentication method: Operation >>> now in progress >>> Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found >>> samba gives: >>> ldb_wrap open of secrets.ldb >>> Terminating connection - 'ldapsrv_call_loop: >>> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' >>> >>> The only way I can bind is by removing the sasl_mech GSSAPI and giving >>> the binddn and bindpw in /etc/nslcd.conf >>> >>> 'So I'm stuck with 'Unknown authentication method'. Are we sure that >>> nslcd can bind using Kerbreros? >>> >>> Thanks for your patience, >>> Steve >> Hi, >> >> Even if you are scared of death of samba-technical I'm posting it there >> as well, maybe someone can answer the questions which arise when I tried >> to check out your use case. >> So I've tried first: >> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI >> >> gives: >> SASL/GSSAPI authentication started >> SASL username: [email protected] >> SASL SSF: 56 >> SASL data security layer installed. >> No such object (32) >> Additional information: empty base DN at >> ../source4/dsdb/samdb/ldb_modules/partition.c:617 > The issue appears to be related to there being not 'base dn' being > specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'. > > This behaviour may not match windows - if you can test against that, > please let us know the difference and we can sort it out. Base DN > specification and defaults changed mid last year. > Thanks!
Specifying the base dn was the problem, but that still doesn't explain (although suggest that the problem lies with nslcd itself) the original problem. >> and >> >> # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI >> SASL/GSSAPI authentication started >> SASL username: [email protected] >> SASL SSF: 56 >> SASL data security layer installed. >> ldap_parse_result: Protocol error (2) >> additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not >> supported >> Result: Protocol error (2) >> Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported >> >> So the question is does the Samba4 LDAP server support SASL/GSSAPI based >> binding? > We support SASL/GSSAPI. We do not (patches very welcome) currently > support the extended operation ldapwhoami uses. > > Andrew Bartlett > Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
