On 20/01/12 12:41, Michael Wood wrote:
Michael. Thanks for your comments. Getting there slowly but surely. Have
made some adjustments as in-line.
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
Obviously you meant the following:
chmod 644 /tmp/krb5cc_0
Yes. I should have copied it from the terminal rather than type it.
This is BAD! It means anyone on that machine will be able to do
anything as Administrator.
Better (but not the way you're supposed to do it) would be to chown
the file to the user that is running nslcd.
What you want to do is create a domain user for nslcd (separate from
the local user that the process runs as. i.e. it will probably need a
different username. This is just for authenticating against Samba.)
samba-tool user add nslcd-service
Now if you "kinit nslcd-service" and chown the file to the right UID,
nslcd should work as it did for Administrator. Still not quite right,
though, I think.
I think you want to create a service principal name, export it as a
keytab and then use that for nslcd, but this is where I am a bit
unsure.
I did this:
samba-tool user add nslcd-service
New Password:
User 'nslcd-service' created successfully
kinit nslcd-service
Password for nslcd-service@SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
rcnslcd restart
redirecting to systemctl
hh3:/tmp # getent passwd steve2
steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
Seems to work OK.
I know I should use a keytab, then presumably I'd not need to keep
refreshing the ticket using k5start. I really would like like to find
out how to do that. I've tried before. Thinking out loud, maybe this:
with getent passwd, samba gives this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for
ldap/hh3.site@SITE [canonicalize, renewable]
I tried removing /tmp/krbcc_0 and doing this:
hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
But:
Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_0' not found)
So the next qn. would be how do I tell nslcd to look in the keytab
rather than the cache file?
Or maybe go the k5start way. Don't know!
Is there no principal specified? Maybe it's not necessary.
[...]
Yes. I think this is it: ldap/hh3.site@SITE Pls see samba output above.
Next stage: getting nslcd-user to be able to read the ticket and keep the
ticket up to date.
Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
nslcd as "nslcd-user", that's not the ticket cache you should be
using.
Actually, kinit nslcd-service produced a file with the same name.
Either you should be generating a new ticket cache (maybe
using k5start), maybe not in /tmp, with the right permissions and
where nslcd can use it.
I can't find k5start for openSUSE. I'll ask the guys over
at the suse list for that one.
Otherwise you could probably compile it yourself.
If I get time, I'll go through this on Ubuntu (where Geza pointed me to
k5start).
Thanks again.
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
