Hi,
Even if you are scared of death of samba-technical I'm posting it there
as well, maybe someone can answer the questions which arise when I tried
to check out your use case.
So I've tried first:
# ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
gives:
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
No such object (32)
Additional information: empty base DN at
../source4/dsdb/samdb/ldb_modules/partition.c:617
The issue appears to be related to there being not 'base dn' being
specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
This behaviour may not match windows - if you can test against that,
please let us know the difference and we can sort it out. Base DN
specification and defaults changed mid last year.
Thanks!
Specifying the base dn was the problem, but that still doesn't explain
(although suggest that the problem lies with nslcd itself) the original
problem.
Hi
Nothing:
hh3:/tmp # kinit Administrator
Password for [email protected]:
Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012
ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y
GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:52922 for
ldap/[email protected] [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/[email protected] that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/[email protected]: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922
hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b
dc=hh3,dc=site -LLL -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:48616 for
ldap/[email protected] [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime:
2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till:
2012-01-21T07:47:56
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
And again the integrity check failed error.
Help!
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
