Re: [Samba] login via Samba 4 LDAP
2011-12-30 13:21 keltezéssel, steve írta: On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve Hi, I'm glad it works now Sorry for the late answer yesterday my ISPs (I have two just to be sure) both decided at the same time to redo the routing of their networks == got off-line for most of the day :-(. Happy New Year! Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 31/12/11 12:48, Gémes Géza wrote: 2011-12-30 13:21 keltezéssel, steve írta: On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site(default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab[options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve Hi, I'm glad it works now Sorry for the late answer yesterday my ISPs (I have two just to be sure) both decided at the same time to redo the routing of their networks == got off-line for most of the day :-(. Happy New Year! Regards Geza Hi Geza Nearly works. Getent passwd works and su user works from root but the user can't login unless he's in a root shell. I think this has something to do with pam. I had it working fine this morning until I disabled the ldap client in opensuse having thought that it would be affecting the process. Now no logins apart from in a root shell. I played around with some pam libraries a few weeks ago: Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service Daemon..done Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0 Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR steve2, Authentication failure Dec 31 16:10:17 hh3 systemd[1]: getty@tty1.service holdoff time over, scheduling restart. Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search LDAP server - Server is unavailable Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Dec 31 16:10:39 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 16
Re: [Samba] login via Samba 4 LDAP
On 31/12/11 16:14, steve wrote: On 31/12/11 12:48, Gémes Géza wrote: 2011-12-30 13:21 keltezéssel, steve írta: On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site(default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab[options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve Hi, I'm glad it works now Sorry for the late answer yesterday my ISPs (I have two just to be sure) both decided at the same time to redo the routing of their networks == got off-line for most of the day :-(. Happy New Year! Regards Geza Hi Geza Nearly works. Getent passwd works and su user works from root but the user can't login unless he's in a root shell. I think this has something to do with pam. I had it working fine this morning until I disabled the ldap client in opensuse having thought that it would be affecting the process. Now no logins apart from in a root shell. I played around with some pam libraries a few weeks ago: Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service Daemon..done Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0 Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR steve2, Authentication failure Dec 31 16:10:17 hh3 systemd[1]: getty@tty1.service holdoff time over, scheduling restart. Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search LDAP server - Server is unavailable Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Dec 31 16:10:39 hh3 polkitd(authority=local): nss_ldap:
Re: [Samba] login via Samba 4 LDAP
On 31/12/11 17:39, steve wrote: On 31/12/11 16:14, steve wrote: On 31/12/11 12:48, Gémes Géza wrote: 2011-12-30 13:21 keltezéssel, steve írta: On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site(default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab[options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve Hi, I'm glad it works now Sorry for the late answer yesterday my ISPs (I have two just to be sure) both decided at the same time to redo the routing of their networks == got off-line for most of the day :-(. Happy New Year! Regards Geza Hi Geza Nearly works. Getent passwd works and su user works from root but the user can't login unless he's in a root shell. I think this has something to do with pam. I had it working fine this morning until I disabled the ldap client in opensuse having thought that it would be affecting the process. Now no logins apart from in a root shell. I played around with some pam libraries a few weeks ago: Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service Daemon..done Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0 Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR steve2, Authentication failure Dec 31 16:10:17 hh3 systemd[1]: getty@tty1.service holdoff time over, scheduling restart. Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search LDAP server - Server is unavailable Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Dec 31 16:10:39 hh3
Re: [Samba] login via Samba 4 LDAP
2011-12-31 19:17 keltezéssel, steve írta: On 31/12/11 17:39, steve wrote: On 31/12/11 16:14, steve wrote: On 31/12/11 12:48, Gémes Géza wrote: 2011-12-30 13:21 keltezéssel, steve írta: On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site(default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab[options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve Hi, I'm glad it works now Sorry for the late answer yesterday my ISPs (I have two just to be sure) both decided at the same time to redo the routing of their networks == got off-line for most of the day :-(. Happy New Year! Regards Geza Hi Geza Nearly works. Getent passwd works and su user works from root but the user can't login unless he's in a root shell. I think this has something to do with pam. I had it working fine this morning until I disabled the ldap client in opensuse having thought that it would be affecting the process. Now no logins apart from in a root shell. I played around with some pam libraries a few weeks ago: Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service Daemon..done Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0 Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR steve2, Authentication failure Dec 31 16:10:17 hh3 systemd[1]: getty@tty1.service holdoff time over, scheduling restart. Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search LDAP server - Server is unavailable Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 4
Re: [Samba] login via Samba 4 LDAP
On 12/31/2011 09:39 PM, Gémes Géza wrote: 2011-12-31 19:17 keltezéssel, steve írta: On 31/12/11 17:39, steve wrote: On 31/12/11 16:14, steve wrote: On 31/12/11 12:48, Gémes Géza wrote: 2011-12-30 13:21 keltezéssel, steve írta: On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve Hi, I'm glad it works now Sorry for the late answer yesterday my ISPs (I have two just to be sure) both decided at the same time to redo the routing of their networks == got off-line for most of the day :-(. Happy New Year! Regards Geza Hi Geza Nearly works. Getent passwd works and su user works from root but the user can't login unless he's in a root shell. I think this has something to do with pam. I had it working fine this morning until I disabled the ldap client in opensuse having thought that it would be affecting the process. Now no logins apart from in a root shell. I played around with some pam libraries a few weeks ago: Dec 31 16:09:51 hh3 nslcd[7090]: version 0.7.13 starting Dec 31 16:09:51 hh3 nslcd[7090]: accepting connections Dec 31 16:09:51 hh3 nslcd[7082]: Starting local LDAP Name Service Daemon..done Dec 31 16:10:04 hh3 su: (to steve2) steve on /dev/pts/0 Dec 31 16:10:14 hh3 login[6755]: FAILED LOGIN SESSION FROM /dev/tty1 FOR steve2, Authentication failure Dec 31 16:10:17 hh3 systemd[1]: getty@tty1.service holdoff time over, scheduling restart. Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: could not search LDAP server - Server is unavailable Dec 31 16:10:27 hh3 polkitd(authority=local): nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Dec 31 16:10:31 hh3 polkitd(authority=local): nss_ldap: reconnecting
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # base DC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # base DC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytab keytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza OK Got as far as this: samba-tool domain exportkeytab /your/key.tab --principal=SERVICE/host@realm so I used: samba-tool domain exportkeytab /etc/krb5.keytab --principal=DNS/HH3.SITE But that's not the SERVICE I need I don't think. THanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # base DC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytab keytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] login via Samba 4 LDAP
Hi I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search the database and view it with phpldapadmin. I can't login from a linux console: ldapsearch -LLL (cn=steve4) SASL/GSSAPI authentication started SASL username: ste...@hh3.site SASL SSF: 56 SASL data security layer installed. dn: CN=steve4,CN=Users,DC=hh3,DC=site cn: steve4 instanceType: 4 whenCreated: 20111228090516.0Z uSNCreated: 3796 name: steve4 objectGUID:: SmOVmHoGLEKtIAG387qdKg== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVb3HIjuGOMdR6frbzWQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: steve4 sAMAccountType: 805306368 userPrincipalName: ste...@hh3.site objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site pwdLastSet: 12969536716000 userAccountControl: 512 gidNumber: 100 unixHomeDirectory: /home/CACTUS/steve4 loginShell: /bin/bash objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: user uidNumber: 319 uid: steve4 whenChanged: 20111228160534.0Z uSNChanged: 3815 distinguishedName: CN=steve4,CN=Users,DC=hh3,DC=site # refldap://hh3.site/CN=Configuration,DC=hh3,DC=site # refldap://hh3.site/DC=DomainDnsZones,DC=hh3,DC=site # refldap://hh3.site/DC=ForestDnsZones,DC=hh3,DC=site But when I try to login from an openSUSE box: su steve4 su: user steve4 does not exist and the logs give: Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Dec 28 20:20:04 hh3 worker_nscd: nss_ldap: could not search LDAP server - Server is unavailable I have tried with and without tls using the ca.pem and cert.pem provisioned in /usr/local/samba/private/tls (it seems that the certificates CN does not match the FQDN of the server). Samba gives me: ldb_wrap open of secrets.ldb Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] etc/nsswitch.conf passwd:compat group:files ldap hosts:files mdns4_minimal [NOTFOUND=return] dns passwd_compat:ldap Anyone been this way before? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
2011-12-28 20:27 keltezéssel, steve írta: Hi I've rfc2703'd the Samba 4 LDAP for a user e.g. steve4. I can search the database and view it with phpldapadmin. I can't login from a linux console: ldapsearch -LLL (cn=steve4) SASL/GSSAPI authentication started SASL username: ste...@hh3.site SASL SSF: 56 SASL data security layer installed. dn: CN=steve4,CN=Users,DC=hh3,DC=site cn: steve4 instanceType: 4 whenCreated: 20111228090516.0Z uSNCreated: 3796 name: steve4 objectGUID:: SmOVmHoGLEKtIAG387qdKg== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVb3HIjuGOMdR6frbzWQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: steve4 sAMAccountType: 805306368 userPrincipalName: ste...@hh3.site objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site pwdLastSet: 12969536716000 userAccountControl: 512 gidNumber: 100 unixHomeDirectory: /home/CACTUS/steve4 loginShell: /bin/bash objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: user uidNumber: 319 uid: steve4 whenChanged: 20111228160534.0Z uSNChanged: 3815 distinguishedName: CN=steve4,CN=Users,DC=hh3,DC=site # refldap://hh3.site/CN=Configuration,DC=hh3,DC=site # refldap://hh3.site/DC=DomainDnsZones,DC=hh3,DC=site # refldap://hh3.site/DC=ForestDnsZones,DC=hh3,DC=site But when I try to login from an openSUSE box: su steve4 su: user steve4 does not exist and the logs give: Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Dec 28 20:20:04 hh3 worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Dec 28 20:20:04 hh3 worker_nscd: nss_ldap: could not search LDAP server - Server is unavailable I have tried with and without tls using the ca.pem and cert.pem provisioned in /usr/local/samba/private/tls (it seems that the certificates CN does not match the FQDN of the server). Samba gives me: ldb_wrap open of secrets.ldb Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] etc/nsswitch.conf passwd:compat group:files ldap hosts:files mdns4_minimal [NOTFOUND=return] dns passwd_compat:ldap Anyone been this way before? Thanks Steve. You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba