Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 kerberos and kinit
2,245 views
Skip to first unread message
steve
Jan 11, 2012, 5:50:01 PM1/11/12
to
Hi
After starting Samba 4, before anyone can do anything, Administrator has
to do a kinit to get a new ticket. This creates a cache /tmp/krb5cc_0
with an expiry time.
I've created a host principal and put it into the keytab:
samba-tool spn add host someuser
samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
How can I keep Samba 4 up without having to get a new Administrator
ticket every 10 hours?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
After starting Samba 4, before anyone can do anything, Administrator has
to do a kinit to get a new ticket. This creates a cache /tmp/krb5cc_0
with an expiry time.
I've created a host principal and put it into the keytab:
samba-tool spn add host someuser
samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
How can I keep Samba 4 up without having to get a new Administrator
ticket every 10 hours?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gémes Géza
Jan 12, 2012, 12:20:02 AM1/12/12
to
2012-01-11 23:48 keltezéssel, steve írta:
> Hi
> After starting Samba 4, before anyone can do anything, Administrator
> has to do a kinit to get a new ticket. This creates a cache
> /tmp/krb5cc_0 with an expiry time.
>
> I've created a host principal and put it into the keytab:
> samba-tool spn add host someuser
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>
> How can I keep Samba 4 up without having to get a new Administrator
> ticket every 10 hours?
>
> Thanks,
> Steve
>
>
That looks really strange.
> Hi
> After starting Samba 4, before anyone can do anything, Administrator
> has to do a kinit to get a new ticket. This creates a cache
> /tmp/krb5cc_0 with an expiry time.
>
> I've created a host principal and put it into the keytab:
> samba-tool spn add host someuser
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>
> How can I keep Samba 4 up without having to get a new Administrator
> ticket every 10 hours?
>
> Thanks,
> Steve
>
>
Could you send your smb.conf
an output from ls -R /path/to/your/samba4/installation (assuming you
aren't using some prepackaged version, but you've done a classic
configure, make, make install).
I've cc-ed samba-technical.
Regards
Geza
Andrew Bartlett
Jan 12, 2012, 3:00:03 AM1/12/12
to
On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
> 2012-01-11 23:48 keltezéssel, steve írta:
> > Hi
> > After starting Samba 4, before anyone can do anything, Administrator
> > has to do a kinit to get a new ticket. This creates a cache
> > /tmp/krb5cc_0 with an expiry time.
> >
> > I've created a host principal and put it into the keytab:
> > samba-tool spn add host someuser
> > samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
> >
> > How can I keep Samba 4 up without having to get a new Administrator
> > ticket every 10 hours?
> >
> > Thanks,
> > Steve
> >
> >
> That looks really strange.
> 2012-01-11 23:48 keltezéssel, steve írta:
> > Hi
> > After starting Samba 4, before anyone can do anything, Administrator
> > has to do a kinit to get a new ticket. This creates a cache
> > /tmp/krb5cc_0 with an expiry time.
> >
> > I've created a host principal and put it into the keytab:
> > samba-tool spn add host someuser
> > samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
> >
> > How can I keep Samba 4 up without having to get a new Administrator
> > ticket every 10 hours?
> >
> > Thanks,
> > Steve
> >
> >
> That looks really strange.
Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
operate. It creates it's own internal credentials cache when required
using the machine account password.
Something else is going on here.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
steve
Jan 12, 2012, 5:00:02 AM1/12/12
to
On 12/01/12 06:15, Gémes Géza wrote:
> 2012-01-11 23:48 keltezéssel, steve írta:
>> Hi
>> After starting Samba 4, before anyone can do anything, Administrator
>> has to do a kinit to get a new ticket. This creates a cache
>> /tmp/krb5cc_0 with an expiry time.
>>
>> I've created a host principal and put it into the keytab:
>> samba-tool spn add host someuser
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>>
>> How can I keep Samba 4 up without having to get a new Administrator
>> ticket every 10 hours?
>>
>> Thanks,
>> Steve
>>
>>
> That looks really strange.
>
> Could you send your smb.conf
> an output from ls -R /path/to/your/samba4/installation (assuming you
> aren't using some prepackaged version, but you've done a classic
> configure, make, make install).
>
> I've cc-ed samba-technical.
>
> Regards
>
> Geza
Hi Geza and thanks for the cc to s-technical. I still don't dare join.
> 2012-01-11 23:48 keltezéssel, steve írta:
>> Hi
>> After starting Samba 4, before anyone can do anything, Administrator
>> has to do a kinit to get a new ticket. This creates a cache
>> /tmp/krb5cc_0 with an expiry time.
>>
>> I've created a host principal and put it into the keytab:
>> samba-tool spn add host someuser
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>>
>> How can I keep Samba 4 up without having to get a new Administrator
>> ticket every 10 hours?
>>
>> Thanks,
>> Steve
>>
>>
> That looks really strange.
>
> Could you send your smb.conf
> an output from ls -R /path/to/your/samba4/installation (assuming you
> aren't using some prepackaged version, but you've done a classic
> configure, make, make install).
>
> I've cc-ed samba-technical.
>
> Regards
>
> Geza
I think that this is because I need the cache because I have added
rfc2307 attributes to the Samba4 LDAP and am using nslcd to map users.
cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
server role = domain controller
workgroup = CACTUS
realm = hh3.site
netbios name = HH3
passdb backend = samba4
template shell = /bin/bash
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[home]
path = /home/CACTUS
read only = No
[profiles]
path = /home/CACTUS/profiles
read only = no
grep -v "#" /etc/nslcd.conf
uid root
gid root
uri ldap://127.0.0.1/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw 123@Abcd
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
The output of ls -R /usr/local/samba is at:
http://steve-ss.com/ls.txt
Thanks for your time (again)
Steve
steve
Jan 12, 2012, 5:20:02 AM1/12/12
to
On 12/01/12 08:49, Andrew Bartlett wrote:
> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>> 2012-01-11 23:48 keltezéssel, steve írta:
>>> Hi
>>> After starting Samba 4, before anyone can do anything, Administrator
>>> has to do a kinit to get a new ticket. This creates a cache
>>> /tmp/krb5cc_0 with an expiry time.
>>>
>>> I've created a host principal and put it into the keytab:
>>> samba-tool spn add host someuser
>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>>>
>>> How can I keep Samba 4 up without having to get a new Administrator
>>> ticket every 10 hours?
>>>
>>> Thanks,
>>> Steve
>>>
>>>
>> That looks really strange.
> Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
> operate. It creates it's own internal credentials cache when required
> using the machine account password.
>
> Something else is going on here.
>
> Andrew Bartlett
>
Hi> On Thu, 2012-01-12 at 06:15 +0100, Gémes Géza wrote:
>> 2012-01-11 23:48 keltezéssel, steve írta:
>>> Hi
>>> After starting Samba 4, before anyone can do anything, Administrator
>>> has to do a kinit to get a new ticket. This creates a cache
>>> /tmp/krb5cc_0 with an expiry time.
>>>
>>> I've created a host principal and put it into the keytab:
>>> samba-tool spn add host someuser
>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE
>>>
>>> How can I keep Samba 4 up without having to get a new Administrator
>>> ticket every 10 hours?
>>>
>>> Thanks,
>>> Steve
>>>
>>>
>> That looks really strange.
> Indeed. Samba does not require a valid ticket in /tmp/krb5cc_0 to
> operate. It creates it's own internal credentials cache when required
> using the machine account password.
>
> Something else is going on here.
>
> Andrew Bartlett
>
Yes, I'm sorry. There is something else. I was trying to keep the post
short.
I've added rfc2307 attributes to the Samba 4 LDAP and am mapping Linux
users using nslcd so that when they login and be placed in heir /home
directory, have the correct uid:gid etc.
grep -v "#" /etc/nslcd.conf
uid root
gid root
uri ldap://127.0.0.1/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw AbcD@123
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Without /tmp/krb5cc_0, getent passwd does not work and Linux users are
not mapped to their /home directory, shell etc.
My full method is here:
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
You mention that Samba 4 creates it's cache as needed. Could you tell me
if that is a file I could access? At the moment, nslcd looks at
/tmp/krb5cc_0 but /etc/nslcd.conf has a configuration option line which
could point to another cache file. I had and still have, that line
commented out to see what the default was.
Thanks so much for your patience.
Steve.
Gémes Géza
Jan 12, 2012, 2:00:02 PM1/12/12
to
I would suggest a differently configured nslcd then.
First create an account named something like:
accountfornslcdoperationsorsomethingsimilarlyboringnameidontmind ;-)
then extract a keytab for it:
samba-tool domain exportkeytab
--principal=thepreviouslycreatedprincipalwithatterriblyboringname
/path/to/the/keytab/file/to/be/created
Then following some guide like:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
configure nslcd to do kerberized lookup against the Samba4 LDAP service.
Regards
Geza
steve
Jan 12, 2012, 9:10:01 PM1/12/12
to
How about this:
samba-tool user add boring-nslcd-account
samba tool spn add host boring-nslcd-account
samba-tool samba-tool domain exportkeytab /etc/krb5.keytab
--principal=host/HH3.SITE
Then this:
/etc/nslcd.conf
uri ldap://192.168.1.3/
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw BCa@7aBC
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Does that make sense?
Thanks
Steve
steve
Jan 13, 2012, 7:10:01 AM1/13/12
to
On 13/01/12 04:37, steve wrote:
> OK
> Disaster. New build from git checkout today.
> klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 HH3$@HH3.SITE
> 1 HH3$@HH3.SITE
> 1 HH3$@HH3.SITE
> 1 Admini...@HH3.SITE
> 1 Admini...@HH3.SITE
> 1 Admini...@HH3.SITE
> 1 nslcd...@HH3.SITE
> 1 nslcd...@HH3.SITE
> 1 nslcd...@HH3.SITE
> 1 dns...@HH3.SITE
> 1 dns...@HH3.SITE
> 1 dns...@HH3.SITE
> 1 krb...@HH3.SITE
> 1 krb...@HH3.SITE
> 1 krb...@HH3.SITE
> 1 ste...@HH3.SITE
> 1 ste...@HH3.SITE
> 1 ste...@HH3.SITE
> 1 host/HH3....@HH3.SITE
> 1 host/HH3....@HH3.SITE
> 1 host/HH3....@HH3.SITE
>
> getent passwd gives:
>
> Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:45733
> for krbtgt/SI...@HH3.SITE [renewable]
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:45733
>
> The krbtgt/SI...@HH3.SITE looks bad.
>
> /var/log/messages gives:
>
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server: Transport
> endpoint is not connected
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] no available LDAP server found
> Jan 13 04:30:45 hh3 nslcd[4606]: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Server not found in
> Kerberos database)
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] failed to bind to LDAP
> server ldap://127.0.0.1/: Local error
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] no available LDAP server found
>
> Any ideas here? Where can I start to look? Thanks for your patience.
> Steve
OK
Getting somewhere. I've got rid of the Kerberos: Server not found in
database: krbtgt/SI...@HH3.SITE error.
Now samba 4 is giving me this:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
and /var/log/messages this:
Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache permissions
incorrect)
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
ldap://localhost: Local error
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
Finally got the new git working. Something must have changed since the
last checkout I used because I had to comment out the:
sasl_mech GSSAPI
in /etc/nslcd.conf
I now have this:
grep -v "#" /etc/nslcd.conf
uid nslcd-user
gid nslcd-user
uri ldap://localhost
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw 12345678
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
I have made a linux user and group called nslcd-user to run nslcd. I
have also made a samba 4 user called nslcd-user and made a host
principal with him and exported that to the keytab. However, I'm back at
the same problem. How do I give the nslcd-user a ticket that nslcd can
use? I can use kinit and get a ticket cache for nslcd-user, but it only
lasts for 10 hours. In the docs you referenced, the guy says:
'I have setup a real user that the daemon will run as, and have given
that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
krb5_ccname /var/run/nslcd/nslcd.tkt
How has the guy 'given that user a valid kerberos tgt'?
IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put in
/var/run/nslcd ?????
Its been a long night!
Cheers
> Disaster. New build from git checkout today.
> klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 HH3$@HH3.SITE
> 1 HH3$@HH3.SITE
> 1 HH3$@HH3.SITE
> 1 Admini...@HH3.SITE
> 1 Admini...@HH3.SITE
> 1 Admini...@HH3.SITE
> 1 nslcd...@HH3.SITE
> 1 nslcd...@HH3.SITE
> 1 nslcd...@HH3.SITE
> 1 dns...@HH3.SITE
> 1 dns...@HH3.SITE
> 1 dns...@HH3.SITE
> 1 krb...@HH3.SITE
> 1 krb...@HH3.SITE
> 1 krb...@HH3.SITE
> 1 ste...@HH3.SITE
> 1 ste...@HH3.SITE
> 1 ste...@HH3.SITE
> 1 host/HH3....@HH3.SITE
> 1 host/HH3....@HH3.SITE
> 1 host/HH3....@HH3.SITE
>
> getent passwd gives:
>
> Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:45733
> for krbtgt/SI...@HH3.SITE [renewable]
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:45733
>
> The krbtgt/SI...@HH3.SITE looks bad.
>
> /var/log/messages gives:
>
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] failed to bind to LDAP
> server ldap://127.0.0.1/: Can't contact LDAP server: Transport
> endpoint is not connected
> Jan 13 04:29:22 hh3 nslcd[4606]: [8b4567] no available LDAP server found
> Jan 13 04:30:45 hh3 nslcd[4606]: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (Server not found in
> Kerberos database)
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] failed to bind to LDAP
> server ldap://127.0.0.1/: Local error
> Jan 13 04:30:45 hh3 nslcd[4606]: [7b23c6] no available LDAP server found
>
> Any ideas here? Where can I start to look? Thanks for your patience.
> Steve
OK
Getting somewhere. I've got rid of the Kerberos: Server not found in
database: krbtgt/SI...@HH3.SITE error.
Now samba 4 is giving me this:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
and /var/log/messages this:
Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache permissions
incorrect)
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
ldap://localhost: Local error
Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
Finally got the new git working. Something must have changed since the
last checkout I used because I had to comment out the:
sasl_mech GSSAPI
in /etc/nslcd.conf
I now have this:
grep -v "#" /etc/nslcd.conf
uid nslcd-user
gid nslcd-user
uri ldap://localhost
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
bindpw 12345678
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
#sasl_mech GSSAPI
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
I have made a linux user and group called nslcd-user to run nslcd. I
have also made a samba 4 user called nslcd-user and made a host
principal with him and exported that to the keytab. However, I'm back at
the same problem. How do I give the nslcd-user a ticket that nslcd can
use? I can use kinit and get a ticket cache for nslcd-user, but it only
lasts for 10 hours. In the docs you referenced, the guy says:
'I have setup a real user that the daemon will run as, and have given
that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
krb5_ccname /var/run/nslcd/nslcd.tkt
How has the guy 'given that user a valid kerberos tgt'?
IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put in
/var/run/nslcd ?????
Its been a long night!
Cheers
steve
Jan 13, 2012, 7:50:02 AM1/13/12
to
> 'I have setup a real user that the daemon will run as, and have given
> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>
> krb5_ccname /var/run/nslcd/nslcd.tkt
>
> How has the guy 'given that user a valid kerberos tgt'?
>
> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
> in /var/run/nslcd ?????
>
> Its been a long night!
> Cheers
> Steve
I need to do the equivalent of this:
kadmin add -r host/machine.sample.com
How do I specify the 'r' option with samba-tool??
So that translates to:
<spn host user stuff>
samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
Where do I put the r ???!!
Thanks,
Gémes Géza
Jan 13, 2012, 1:30:02 PM1/13/12
to
2012-01-13 13:45 keltezéssel, steve írta:
>
>> 'I have setup a real user that the daemon will run as, and have given
>> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
>> How has the guy 'given that user a valid kerberos tgt'?
>>
>> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
>> in /var/run/nslcd ?????
>>
>> Its been a long night!
>> Cheers
>> Steve
>
> It's to do with the host principal no?
>
> I need to do the equivalent of this:
> kadmin add -r host/machine.sample.com
>
> How do I specify the 'r' option with samba-tool??
>
> So that translates to:
> <spn host user stuff>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
> Where do I put the r ???!!
>
> Thanks,
> Steve
>
>
It doesn't need to have anything to do with the host principal. You
>
>> 'I have setup a real user that the daemon will run as, and have given
>> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
>> How has the guy 'given that user a valid kerberos tgt'?
>>
>> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
>> in /var/run/nslcd ?????
>>
>> Its been a long night!
>> Cheers
>> Steve
>
> It's to do with the host principal no?
>
> I need to do the equivalent of this:
> kadmin add -r host/machine.sample.com
>
> How do I specify the 'r' option with samba-tool??
>
> So that translates to:
> <spn host user stuff>
> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
> Where do I put the r ???!!
>
> Thanks,
> Steve
>
>
could have a very unique nslcd service account. On the other hand I
suggest to export each principal to its own keytab instead of dumping
all to /etc/krb5.keytab if needed they can be "copied" together with ktutil.
Another suggestion: as uri specify the fqdn of the Samba4 server instead
of its ip address, as it makes harder (it needs to do reverse name
lookup) for kerberos to find which account it needs to get the ticket for.
You should copy/move the resulting keytab wherever you wish, just make
sure you specify the exact same path in nslcd.conf (or equivalent)
Regards
Geza
steve
Jan 13, 2012, 5:10:01 PM1/13/12
to
On 13/01/12 19:22, Gémes Géza wrote:
> 2012-01-13 13:45 keltezéssel, steve írta:
>>> 'I have setup a real user that the daemon will run as, and have given
>>> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>>>
>>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>>
>>> How has the guy 'given that user a valid kerberos tgt'?
>>>
>>> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
>>> in /var/run/nslcd ?????
>>>
>>> Its been a long night!
>>> Cheers
>>> Steve
>> It's to do with the host principal no?
>>
>> I need to do the equivalent of this:
>> kadmin add -r host/machine.sample.com
>>
>> How do I specify the 'r' option with samba-tool??
>>
>> So that translates to:
>> <spn host user stuff>
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
>> Where do I put the r ???!!
>>
>> Thanks,
>> Steve
>>
>>
> It doesn't need to have anything to do with the host principal. You
> could have a very unique nslcd service account.
Yes. I have that account: nslcd-user. I can create a keytab for
> 2012-01-13 13:45 keltezéssel, steve írta:
>>> 'I have setup a real user that the daemon will run as, and have given
>>> that user a valid kerberos tgt' and gives this line in /etc/nslcd.conf
>>>
>>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>>
>>> How has the guy 'given that user a valid kerberos tgt'?
>>>
>>> IOW, how do _I_ on openSUSE 12.1 get that magic nslcd.tkt file to put
>>> in /var/run/nslcd ?????
>>>
>>> Its been a long night!
>>> Cheers
>>> Steve
>> It's to do with the host principal no?
>>
>> I need to do the equivalent of this:
>> kadmin add -r host/machine.sample.com
>>
>> How do I specify the 'r' option with samba-tool??
>>
>> So that translates to:
>> <spn host user stuff>
>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/REALM
>> Where do I put the r ???!!
>>
>> Thanks,
>> Steve
>>
>>
> It doesn't need to have anything to do with the host principal. You
> could have a very unique nslcd service account.
nslcd-user. let's say nslcd-user.keytab. Now, what is the sytax of the
line to add to nslcd.conf? There seems to be no way to specify that.
> On the other hand I
> suggest to export each principal to its own keytab instead of dumping
> all to /etc/krb5.keytab if needed they can be "copied" together with ktutil.
> Another suggestion: as uri specify the fqdn of the Samba4 server instead
> of its ip address, as it makes harder (it needs to do reverse name
> lookup) for kerberos to find which account it needs to get the ticket for.
OK. If I have understood this correctly, for me my server, ip=
> suggest to export each principal to its own keytab instead of dumping
> all to /etc/krb5.keytab if needed they can be "copied" together with ktutil.
> Another suggestion: as uri specify the fqdn of the Samba4 server instead
> of its ip address, as it makes harder (it needs to do reverse name
> lookup) for kerberos to find which account it needs to get the ticket for.
192.168.1.3 has fqdn hh3.site so I should specify
uri hh3.site rather than uri 127.0.0.1 or 192.168.1.3 no?
> You should copy/move the resulting keytab wherever you wish, just make
> sure you specify the exact same path in nslcd.conf (or equivalent)
That's what I don't know how to do!
> sure you specify the exact same path in nslcd.conf (or equivalent)
Cheers,
Steve
Michael Wood
Jan 13, 2012, 5:40:02 PM1/13/12
to
[...]
in this thread?
krb5_ccname /var/run/nslcd/nslcd.tkt
--
Michael Wood <esio...@gmail.com>
>> It doesn't need to have anything to do with the host principal. You
>> could have a very unique nslcd service account.
>
> Yes. I have that account: nslcd-user. I can create a keytab for nslcd-user.
> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to
> nslcd.conf? There seems to be no way to specify that.
Does this not work, as per the link that Géza pointed you to earlier
>> could have a very unique nslcd service account.
>
> Yes. I have that account: nslcd-user. I can create a keytab for nslcd-user.
> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to
> nslcd.conf? There seems to be no way to specify that.
in this thread?
krb5_ccname /var/run/nslcd/nslcd.tkt
--
Michael Wood <esio...@gmail.com>
Michael Wood
Jan 13, 2012, 5:50:02 PM1/13/12
to
On 13 January 2012 14:00, steve <st...@steve-ss.com> wrote:
[...]
and /usr/local/samba/private/secrets.tdb? And also your keytab and
the directory it's in.
> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
> ldap://localhost: Local error
> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
>
> Finally got the new git working. Something must have changed since the last
> checkout I used because I had to comment out the:
>
> sasl_mech GSSAPI
>
> in /etc/nslcd.conf
This is probably related the the above error. i.e. it's refusing to
use GSSAPI because you have bad permissions somewhere.
--
Michael Wood <esio...@gmail.com>
[...]
> OK
> Getting somewhere. I've got rid of the Kerberos: Server not found in
> database: krbtgt/SI...@HH3.SITE error.
>
> Now samba 4 is giving me this:
>
> ldb_wrap open of secrets.ldb
> Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
>
> and /var/log/messages this:
>
> Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Credentials cache permissions
> incorrect)
What are the permissions on /usr/local/samba, /usr/local/samba/private
> Getting somewhere. I've got rid of the Kerberos: Server not found in
> database: krbtgt/SI...@HH3.SITE error.
>
> Now samba 4 is giving me this:
>
> ldb_wrap open of secrets.ldb
> Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
>
> and /var/log/messages this:
>
> Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Credentials cache permissions
> incorrect)
and /usr/local/samba/private/secrets.tdb? And also your keytab and
the directory it's in.
> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
> ldap://localhost: Local error
> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
>
> Finally got the new git working. Something must have changed since the last
> checkout I used because I had to comment out the:
>
> sasl_mech GSSAPI
>
> in /etc/nslcd.conf
use GSSAPI because you have bad permissions somewhere.
--
Michael Wood <esio...@gmail.com>
Michael Wood
Jan 13, 2012, 9:20:01 PM1/13/12
to
On 14 January 2012 01:28, steve <st...@steve-ss.com> wrote:
> nslcd.pid socket
> I've commented out the line and it still works without having a cache. I'd
> still like to work it out though.
No, you misunderstand. You create the keytab (e.g. to
/var/run/nslcd/nslcd.tkt) and then tell nslcd where it is by using the
krb5_ccname option.
I don't know a huge amount about Kerberos, so I don't know what the
difference is between a ticket/credentials cache and a keytab file.
"ccname" == "credentials cache name"
Hope the above helps :)
> On 13/01/12 23:36, Michael Wood wrote:
>>
>> On 14 January 2012 00:01, steve<st...@steve-ss.com> wrote:
>>>
>>> On 13/01/12 19:22, Gémes Géza wrote:
>>
>> [...]
>>>>
>>>> It doesn't need to have anything to do with the host principal. You
>>>> could have a very unique nslcd service account.
>>>
>>> Yes. I have that account: nslcd-user. I can create a keytab for
>>> nslcd-user.
>>> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to
>>> nslcd.conf? There seems to be no way to specify that.
>>
>> Does this not work, as per the link that Géza pointed you to earlier
>> in this thread?
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
> No, 'fraid not. The only stuff in /var/run/nslcd are:
>>
>> On 14 January 2012 00:01, steve<st...@steve-ss.com> wrote:
>>>
>>> On 13/01/12 19:22, Gémes Géza wrote:
>>
>> [...]
>>>>
>>>> It doesn't need to have anything to do with the host principal. You
>>>> could have a very unique nslcd service account.
>>>
>>> Yes. I have that account: nslcd-user. I can create a keytab for
>>> nslcd-user.
>>> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to
>>> nslcd.conf? There seems to be no way to specify that.
>>
>> Does this not work, as per the link that Géza pointed you to earlier
>> in this thread?
>>
>> krb5_ccname /var/run/nslcd/nslcd.tkt
>>
> nslcd.pid socket
> I've commented out the line and it still works without having a cache. I'd
> still like to work it out though.
No, you misunderstand. You create the keytab (e.g. to
/var/run/nslcd/nslcd.tkt) and then tell nslcd where it is by using the
krb5_ccname option.
I don't know a huge amount about Kerberos, so I don't know what the
difference is between a ticket/credentials cache and a keytab file.
"ccname" == "credentials cache name"
Hope the above helps :)
Michael Wood
Jan 13, 2012, 9:30:02 PM1/13/12
to
On 14 January 2012 01:24, steve <st...@steve-ss.com> wrote:
> drwxr-xr-x 9 root root 4096 Jan 14 00:19 private
OK, although private could probably be a bit tighter.
>> /usr/local/samba/private
>
>
>> and /usr/local/samba/private/secrets.tdb?
>
> -rw------- 1 root root 1286144 Jan 13 04:51 secrets.ldb
Fine.
>> And also your keytab and
>> the directory it's in.
>
> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
That's fine, but is that what nslcd is using?
>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
>>> ldap://localhost: Local error
>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
>>>
>>> Finally got the new git working. Something must have changed since the
>>> last
>>> checkout I used because I had to comment out the:
>>>
>>> sasl_mech GSSAPI
>>>
>>> in /etc/nslcd.conf
>>
>> This is probably related the the above error. i.e. it's refusing to
>> use GSSAPI because you have bad permissions somewhere.
>>
> The perms are above, but it makes me none the wiser. Any ideas what these
> permissions should be? What am I losing bu not using GSSAPI ?
> Thanks
> Steve
> On 13/01/12 23:46, Michael Wood wrote:
>>
>> On 13 January 2012 14:00, steve<st...@steve-ss.com> wrote:
>> [...]
>>>
>>> OK
>>> Getting somewhere. I've got rid of the Kerberos: Server not found in
>>> database: krbtgt/SI...@HH3.SITE error.
>>>
>>> Now samba 4 is giving me this:
>>>
>>> ldb_wrap open of secrets.ldb
>>> Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
>>> -
>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
>>> -
>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>
>>> and /var/log/messages this:
>>>
>>> Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
>>> Minor code may provide more information (Credentials cache permissions
>>> incorrect)
>>
>> What are the permissions on /usr/local/samba,
>
> drwxr-xr-x 11 root root 4096 Jan 13 04:48 samba
>>
>> On 13 January 2012 14:00, steve<st...@steve-ss.com> wrote:
>> [...]
>>>
>>> OK
>>> Getting somewhere. I've got rid of the Kerberos: Server not found in
>>> database: krbtgt/SI...@HH3.SITE error.
>>>
>>> Now samba 4 is giving me this:
>>>
>>> ldb_wrap open of secrets.ldb
>>> Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv()
>>> -
>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv()
>>> -
>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>>
>>> and /var/log/messages this:
>>>
>>> Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure.
>>> Minor code may provide more information (Credentials cache permissions
>>> incorrect)
>>
>> What are the permissions on /usr/local/samba,
>
> drwxr-xr-x 9 root root 4096 Jan 14 00:19 private
OK, although private could probably be a bit tighter.
>> /usr/local/samba/private
>
>
>> and /usr/local/samba/private/secrets.tdb?
>
> -rw------- 1 root root 1286144 Jan 13 04:51 secrets.ldb
Fine.
>> And also your keytab and
>> the directory it's in.
>
> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
That's fine, but is that what nslcd is using?
>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server
>>> ldap://localhost: Local error
>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found
>>>
>>> Finally got the new git working. Something must have changed since the
>>> last
>>> checkout I used because I had to comment out the:
>>>
>>> sasl_mech GSSAPI
>>>
>>> in /etc/nslcd.conf
>>
>> This is probably related the the above error. i.e. it's refusing to
>> use GSSAPI because you have bad permissions somewhere.
>>
> permissions should be? What am I losing bu not using GSSAPI ?
> Thanks
> Steve
Michael Wood
Jan 15, 2012, 10:10:01 AM1/15/12
to
On 14 January 2012 12:52, steve <st...@steve-ss.com> wrote:
> so I created a user and group for nslcd and specified them in nslcd.conf.
> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
> that correct? (can't test it as am not by the DC at the moment)
Sounds likely.
So you probably need to export a keytab for your nslcd principal to a
new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
has permission to read it. No other user should have read access.
> On 14/01/12 03:19, Michael Wood wrote:
>>
>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
[...]
>>
>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>
>> That's fine, but is that what nslcd is using?
>
> Ah. Well spotted! The nslcd docs recommends you run it as a separate user,
>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>
>> That's fine, but is that what nslcd is using?
>
> so I created a user and group for nslcd and specified them in nslcd.conf.
> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
> that correct? (can't test it as am not by the DC at the moment)
Sounds likely.
So you probably need to export a keytab for your nslcd principal to a
new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
has permission to read it. No other user should have read access.
steve
Jan 15, 2012, 11:40:02 AM1/15/12
to
On 01/15/2012 04:04 PM, Michael Wood wrote:
> On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
>> On 14/01/12 03:19, Michael Wood wrote:
>>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
> [...]
>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>> That's fine, but is that what nslcd is using?
>> Ah. Well spotted! The nslcd docs recommends you run it as a separate user,
>> so I created a user and group for nslcd and specified them in nslcd.conf.
>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>> that correct? (can't test it as am not by the DC at the moment)
> Sounds likely.
>
> So you probably need to export a keytab for your nslcd principal to a
> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
> has permission to read it. No other user should have read access.
>
The problem is that I can't have a principal for nslcd. IOW I can't do this:
> On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
>> On 14/01/12 03:19, Michael Wood wrote:
>>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
> [...]
>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>> That's fine, but is that what nslcd is using?
>> Ah. Well spotted! The nslcd docs recommends you run it as a separate user,
>> so I created a user and group for nslcd and specified them in nslcd.conf.
>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>> that correct? (can't test it as am not by the DC at the moment)
> Sounds likely.
>
> So you probably need to export a keytab for your nslcd principal to a
> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
> has permission to read it. No other user should have read access.
>
samba-tool spn add nslcd some-user
I could do this
samba-tool spn add host someuser
but already have a host principal added to the main keytab.
I keep coming back to this. I can have a principal for host and I can
have a principal for nfs but I can't have a principal for nslcd. Even
tough /etc/nslcd.conf allows me to add a kerberos realm, is that good
enough?
Anyway, I've a 10 hour experiment in progress as on the other thread.
Fingers crossed!
Thanks,
Steve
Michael Wood
Jan 15, 2012, 4:30:01 PM1/15/12
to
Sorry, forgot to copy the list.
On 15 January 2012 18:32, steve <st...@steve-ss.com> wrote:
> On 01/15/2012 04:04 PM, Michael Wood wrote:
>>
>> On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
>>>
>>> On 14/01/12 03:19, Michael Wood wrote:
>>>>
>>>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
>>
>> [...]
>>>>>
>>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>>>
>>>> That's fine, but is that what nslcd is using?
>>>
>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate
>>> user,
>>> so I created a user and group for nslcd and specified them in nslcd.conf.
>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>>> that correct? (can't test it as am not by the DC at the moment)
>>
>> Sounds likely.
>>
>> So you probably need to export a keytab for your nslcd principal to a
>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
>> has permission to read it. No other user should have read access.
>>
> The problem is that I can't have a principal for nslcd. IOW I can't do this:
> samba-tool spn add nslcd some-user
I must admit that I don't know why you can't do something like this:
# samba-tool user create nslcd-user --random-password
User 'nslcd-user' created successfully
# samba-tool spn add nslcd/hh3.hh3.site nslcd-user
# samba-tool spn list nslcd-user
nslcd-user
User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
servicePrincipalName:
nslcd/hh3.hh3.site
# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
# ls -l nslcd.keytab
-rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab
If that works, try getting nslcd to use it.
> I could do this
>
> samba-tool spn add host someuser
> but already have a host principal added to the main keytab.
>
> I keep coming back to this. I can have a principal for host and I can have a
> principal for nfs but I can't have a principal for nslcd. Even tough
Why if you can do it for NFS, why not for nslcd?
> /etc/nslcd.conf allows me to add a kerberos realm, is that good enough?
Well, either it will need to have the password hard coded in the
config file like you have it at the moment, I believe, or it will need
a ticket to access the directory.
> Anyway, I've a 10 hour experiment in progress as on the other thread.
> Fingers crossed!
--
Michael Wood <esio...@gmail.com>
On 15 January 2012 18:32, steve <st...@steve-ss.com> wrote:
> On 01/15/2012 04:04 PM, Michael Wood wrote:
>>
>> On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
>>>
>>> On 14/01/12 03:19, Michael Wood wrote:
>>>>
>>>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
>>
>> [...]
>>>>>
>>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>>>
>>>> That's fine, but is that what nslcd is using?
>>>
>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate
>>> user,
>>> so I created a user and group for nslcd and specified them in nslcd.conf.
>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>>> that correct? (can't test it as am not by the DC at the moment)
>>
>> Sounds likely.
>>
>> So you probably need to export a keytab for your nslcd principal to a
>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
>> has permission to read it. No other user should have read access.
>>
> The problem is that I can't have a principal for nslcd. IOW I can't do this:
> samba-tool spn add nslcd some-user
# samba-tool user create nslcd-user --random-password
User 'nslcd-user' created successfully
# samba-tool spn add nslcd/hh3.hh3.site nslcd-user
# samba-tool spn list nslcd-user
nslcd-user
User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
servicePrincipalName:
nslcd/hh3.hh3.site
# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
# ls -l nslcd.keytab
-rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab
If that works, try getting nslcd to use it.
> I could do this
>
> samba-tool spn add host someuser
> but already have a host principal added to the main keytab.
>
> I keep coming back to this. I can have a principal for host and I can have a
> principal for nfs but I can't have a principal for nslcd. Even tough
> /etc/nslcd.conf allows me to add a kerberos realm, is that good enough?
config file like you have it at the moment, I believe, or it will need
a ticket to access the directory.
> Anyway, I've a 10 hour experiment in progress as on the other thread.
> Fingers crossed!
Michael Wood <esio...@gmail.com>
steve
Jan 15, 2012, 6:00:01 PM1/15/12
to
On 01/15/2012 10:23 PM, Michael Wood wrote:
> On 15 January 2012 18:32, steve<st...@steve-ss.com> wrote:
> On 15 January 2012 18:32, steve<st...@steve-ss.com> wrote:
>> On 01/15/2012 04:04 PM, Michael Wood wrote:
>>> On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
>>>> On 14/01/12 03:19, Michael Wood wrote:
>>>>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
>>> [...]
>>>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>>>> That's fine, but is that what nslcd is using?
>>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate
>>>> user,
>>>> so I created a user and group for nslcd and specified them in nslcd.conf.
>>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>>>> that correct? (can't test it as am not by the DC at the moment)
>>> Sounds likely.
>>>
>>> So you probably need to export a keytab for your nslcd principal to a
>>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
>>> has permission to read it. No other user should have read access.
>>>
>> The problem is that I can't have a principal for nslcd. IOW I can't do this:
>> samba-tool spn add nslcd some-user
>>> On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
>>>> On 14/01/12 03:19, Michael Wood wrote:
>>>>> On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
>>> [...]
>>>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
>>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
>>>>> That's fine, but is that what nslcd is using?
>>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate
>>>> user,
>>>> so I created a user and group for nslcd and specified them in nslcd.conf.
>>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
>>>> that correct? (can't test it as am not by the DC at the moment)
>>> Sounds likely.
>>>
>>> So you probably need to export a keytab for your nslcd principal to a
>>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
>>> has permission to read it. No other user should have read access.
>>>
>> The problem is that I can't have a principal for nslcd. IOW I can't do this:
>> samba-tool spn add nslcd some-user
> I must admit that I don't know why you can't do something like this:
>
> # samba-tool user create nslcd-user --random-password
> User 'nslcd-user' created successfully
> # samba-tool spn add nslcd/hh3.hh3.site nslcd-user
> # samba-tool spn list nslcd-user
> nslcd-user
> User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
> servicePrincipalName:
> nslcd/hh3.hh3.site
> # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
> # ls -l nslcd.keytab
> -rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab
>
> If that works, try getting nslcd to use it.
>
>
Hi Michael. The problem is this:
>
> # samba-tool user create nslcd-user --random-password
> User 'nslcd-user' created successfully
> # samba-tool spn add nslcd/hh3.hh3.site nslcd-user
> # samba-tool spn list nslcd-user
> nslcd-user
> User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
> servicePrincipalName:
> nslcd/hh3.hh3.site
> # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
> # ls -l nslcd.keytab
> -rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab
>
> If that works, try getting nslcd to use it.
>
>
root@hh3:/home/steve# samba-tool user add nslcd-user
New Password:
User 'nslcd-user' created successfully
root@hh3:/home/steve# samba-tool spn add nslcd nslcd-user
root@hh3:/home/steve# samba-tool domain exportkeytab nslcd.keytab
--principal=nslcd/HH3.SITE
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
root@hh3:/home/steve# samba-tool domain exportkeytab
--principal=nslcd/hh3.hh3.site nslcd.keytab
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
And finally, just for good measure:
root@hh3:/home/steve# samba-tool domain exportkeytab
--principal=nslcd/HH3.SITE nslcd.keytab
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
i.e., unlike host and nfs, nslcd cannot be made made into a principal to
put in a keytab. Do you think that the host principal will take care of
this even though it is in root:root /etc/krb5.keytab and nslcd is
running as nslcd-user?
Anyway, just 4 hours to go to see if the world collapses when steve2's
ticket expires. Meanwhile, he's been creating and editing files on both
win 7 and Linux clients without once being asked for a password. As you
say, fingers crossed. Do I win 10 €uros!
Cheers,
steve
Jan 16, 2012, 3:20:01 PM1/16/12
to
(apology. forgot to send only to list)
> and gid's from LDAP both over the nfs4 network and on the Samba 4
> server itself. The /tmp/krbcc_0 ticket cache for steve2 got destroyed
> at some stage but steve2 can still logon OK without doing a kinit. He
> does of course have to give his password to logon, but not to access
> anything else e.g his roaming profile on an nfs share. One annoying
> thing is that on a Linux client, xscreensaver will not deactivate
> using steve2's kerberos password. He's locked out.
>
> Cheers
> Steve
On 01/16/2012 07:18 PM, steve wrote:
>
>> Well, either it will need to have the password hard coded in the
>> config file like you have it at the moment, I believe, or it will need
>> a ticket to access the directory.
>>
>>> Anyway, I've a 10 hour experiment in progress as on the other thread.
>>> Fingers crossed!
> Well, 24 hours later and nslcd is still running and still mapping uid
>
>> Well, either it will need to have the password hard coded in the
>> config file like you have it at the moment, I believe, or it will need
>> a ticket to access the directory.
>>
>>> Anyway, I've a 10 hour experiment in progress as on the other thread.
>>> Fingers crossed!
> and gid's from LDAP both over the nfs4 network and on the Samba 4
> server itself. The /tmp/krbcc_0 ticket cache for steve2 got destroyed
> at some stage but steve2 can still logon OK without doing a kinit. He
> does of course have to give his password to logon, but not to access
> anything else e.g his roaming profile on an nfs share. One annoying
> thing is that on a Linux client, xscreensaver will not deactivate
> using steve2's kerberos password. He's locked out.
>
> Cheers
> Steve
fe...@epepm.cupet.cu
Jan 16, 2012, 3:20:02 PM1/16/12
to
> ERROR(runtime): uncaught exception - Key table entry not found
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 167, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 88, in run
similar error (above) when using samba-tool dns, but it worked when used
the IP of the samba server.
Best regards,
Felix.
0 new messages