On 20/01/12 07:55, steve wrote:
Hi,
Even if you are scared of death of samba-technical I'm posting it
there
as well, maybe someone can answer the questions which arise when I
tried
to check out your use case.
So I've tried first:
# ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y
GSSAPI
gives:
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
No such object (32)
Additional information: empty base DN at
../source4/dsdb/samdb/ldb_modules/partition.c:617
The issue appears to be related to there being not 'base dn' being
specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
This behaviour may not match windows - if you can test against that,
please let us know the difference and we can sort it out. Base DN
specification and defaults changed mid last year.
Thanks!
Specifying the base dn was the problem, but that still doesn't explain
(although suggest that the problem lies with nslcd itself) the original
problem.
Hi
Nothing:
hh3:/tmp # kinit Administrator
Password for [email protected]:
Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012
ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL
-Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:52922
for ldap/[email protected] [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/[email protected] that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/[email protected]: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922
hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b
dc=hh3,dc=site -LLL -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ [email protected] from ipv4:192.168.1.3:48616
for ldap/[email protected] [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime:
2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till:
2012-01-21T07:47:56
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
And again the integrity check failed error.
Help!
Cheers,
Steve
OK. Start from nothing. New checkout, /usr/local/samba deleted, keytabs
gone. . . Nothing.
./source4/setup/provision --realm=site --domain=CACTUS
--adminpass=abc@1234 --server-role='domain controller'
kinit Administrator
Password for Administrator@SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 10:11:08 2012
hh3:/tmp # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SITE
Valid starting Expires Service principal
01/20/12 10:36:20 01/20/12 20:36:20 krbtgt/SITE@SITE
renew until 01/21/12 10:36:14
hh3:/tmp # ldapsearch -H ldap://192.168.1.3 cn=Administrator -b dc=site
-LLL -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: Administrator@SITE
SASL SSF: 56
SASL data security layer installed.
dn: CN=Administrator,CN=Users,DC=site
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20120120091108.0Z
whenChanged: 20120120091108.0Z
uSNCreated: 3544
uSNChanged: 3544
name: Administrator
objectGUID:: mGFPzUkB00u061KWBq0BbQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129715242680000000
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA1QO34Lt6TetRTPlg9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=site
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=site
memberOf: CN=Enterprise Admins,CN=Users,DC=site
memberOf: CN=Schema Admins,CN=Users,DC=site
memberOf: CN=Domain Admins,CN=Users,DC=site
distinguishedName: CN=Administrator,CN=Users,DC=site
# refldap://site/CN=Configuration,DC=site
# refldap://site/DC=DomainDnsZones,DC=site
# refldap://site/DC=ForestDnsZones,DC=site
Still here?
samba-tool user add steve2
Next add rfc2307 stuff for steve2:
cat steve2.ldif
dn: cn=steve2,cn=Users,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 3000000
-
add: gidnumber
gidnumber: 100
-
add:unixhomedirectory
unixhomedirectory: /home/CACTUS/steve2
-
add: loginshell
loginshell: /bin/bash
ldapmodify -H 192.168.1.3 -W -D cn=Administrator,cn=Users,dc=site -f
steve2.ldif
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
and getent springs to life:
getent passwd steve2
steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
(gasps of general amazement etc.)
Finally, the kerberized bind works. steve2 can logon and get attributes
from LDAP _without_ the binddn and bindpw. For the record,
/etc/nslcd.conf looks like this:
uid nslcd-user
gid nslcd-user
uri ldap://192.168.1.3
base dc=site
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
krb5_ccname /tmp/krb5cc_0
Next stage: getting nslcd-user to be able to read the ticket and keep
the ticket up to date. I can't find k5start for openSUSE. I'll ask the
guys over at the suse list for that one.
If I get time, I'll go through this on Ubuntu (where Geza pointed me to
k5start).
Phew!
Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
