Hi Steve, Thanks for the info - that helps a lot! I can see that the /etc/init.d/nslcd script in Ubuntu needs modifying in order for k5start to work. It uses -u to specify an alternate principal which you don't use in your example. The script uses "host/client.example.com" as an alternate principal - can you not use that principal format instead of just a user name?
br, Quinn On Thu, Jul 12, 2012 at 3:08 PM, steve <[email protected]> wrote: > On 12/07/12 10:41, Quinn Plattel wrote: > >> Hi, >> >> I am trying to configure the nslcd service on an Ubuntu client for >> kerberos >> authentication against samba4. My /etc/nslcd.conf contains the following: >> >> uid nslcd >> gid nslcd >> uri ldapi:///cofil01.mydomain.net >> base dc=mydomain,dc=net >> sasl_mech GSSAPI >> krb5_ccname FILE:/tmp/host.tkt >> > > Hi Quinn > It can't authenticate because it doesn't know which principal to use. > > 1.Include the realm after the GSSAPI line: > sasl_realm MYDOMAIN.NET > 2. Create an AD user e.g. nslcd-service > samba-tool user add nslcd-service > 3. extract the keytab: > samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service > 4.edit /etc/default/nslcd to contain: K5START_START="no" > 5. start the service > k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt & > service nslcd start > > That's it. > > HTH > Cheers, > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: > https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
