On 12/07/12 10:41, Quinn Plattel wrote:
Hi,
I am trying to configure the nslcd service on an Ubuntu client for kerberos
authentication against samba4. My /etc/nslcd.conf contains the following:
uid nslcd
gid nslcd
uri ldapi:///cofil01.mydomain.net
base dc=mydomain,dc=net
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/host.tkt
Hi Quinn
It can't authenticate because it doesn't know which principal to use.
1.Include the realm after the GSSAPI line:
sasl_realm MYDOMAIN.NET
2. Create an AD user e.g. nslcd-service
samba-tool user add nslcd-service
3. extract the keytab:
samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service
4.edit /etc/default/nslcd to contain: K5START_START="no"
5. start the service
k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt &
service nslcd start
That's it.
HTH
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
