Steve, An alternate workaround to steps 3,4,5 is to do the following: 3: samba-tool domain exportkeytab /etc/krb5.keytab --principal=nslcd-service 4: edit /etc/default/nslcd and add the line: K5START_PRINCIPAL="nslcd-service" 5: start nslcd with "service nslcd start"
So now we have two principals we can use for nslcd, a user principal named nslcd-service or a computer account created by "net ads join". I can see you use -K 540 for k5start. The -K parameter refreshes the kerberos credentials cache - with your's every 9 hours or 540 minutes, but if you use ubuntu's defaults, it refreshes once an hour, aka every 60 minutes. br, Quinn On Thu, Jul 12, 2012 at 3:08 PM, steve <[email protected]> wrote: > On 12/07/12 10:41, Quinn Plattel wrote: > >> Hi, >> >> I am trying to configure the nslcd service on an Ubuntu client for >> kerberos >> authentication against samba4. My /etc/nslcd.conf contains the following: >> >> uid nslcd >> gid nslcd >> uri ldapi:///cofil01.mydomain.net >> base dc=mydomain,dc=net >> sasl_mech GSSAPI >> krb5_ccname FILE:/tmp/host.tkt >> > > Hi Quinn > It can't authenticate because it doesn't know which principal to use. > > 1.Include the realm after the GSSAPI line: > sasl_realm MYDOMAIN.NET > 2. Create an AD user e.g. nslcd-service > samba-tool user add nslcd-service > 3. extract the keytab: > samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service > 4.edit /etc/default/nslcd to contain: K5START_START="no" > 5. start the service > k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt & > service nslcd start > > That's it. > > HTH > Cheers, > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: > https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
