Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 and GSSAPI kerberos ldap connect
1,675 views
Skip to first unread message
steve
Jan 17, 2012, 10:20:01 AM1/17/12
to
Hi everyone
I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
moment, I authenticate by specifying the binddn and password in
/etc/nslcd.conf and all works fine
If I add the line:
sasl_mech GSSAPI
to /etc/nslcd.conf
and restart nslcd, no one can connect to the database. Nothing works.
ldapsearch and getent passwd draw a blank.
ldapsearch -x -b '' -sbase supportedSASLMechanisms
gives me:
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
but ldapsearch -Y GSSAPI gives:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
and Samba gives:
Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:56859 for
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3....@HH3.SITE that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
I've tried making a ldap principal but samba-tool spn doesn't let me add
an ldap principal.
Any ideas anyone?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
moment, I authenticate by specifying the binddn and password in
/etc/nslcd.conf and all works fine
If I add the line:
sasl_mech GSSAPI
to /etc/nslcd.conf
and restart nslcd, no one can connect to the database. Nothing works.
ldapsearch and getent passwd draw a blank.
ldapsearch -x -b '' -sbase supportedSASLMechanisms
gives me:
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
but ldapsearch -Y GSSAPI gives:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
and Samba gives:
Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:56859 for
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3....@HH3.SITE that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
I've tried making a ldap principal but samba-tool spn doesn't let me add
an ldap principal.
Any ideas anyone?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gémes Géza
Jan 17, 2012, 3:50:02 PM1/17/12
to
Hi,
See comments inline:
to some kind of keytab, to authenticate itself.
This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
looking like):
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host/$(hostname -f)"
And must have k5start installed (it is wrapper which keeps fresh tickets
for long runing services)
valid kerberos tickets (so do a kinit first)!
Geza
See comments inline:
> Hi everyone
>
> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
> moment, I authenticate by specifying the binddn and password in
> /etc/nslcd.conf and all works fine
>
> If I add the line:
> sasl_mech GSSAPI
That should suffice, but please note, that nslcd should also have access
>
> I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
> moment, I authenticate by specifying the binddn and password in
> /etc/nslcd.conf and all works fine
>
> If I add the line:
> sasl_mech GSSAPI
to some kind of keytab, to authenticate itself.
This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
looking like):
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host/$(hostname -f)"
And must have k5start installed (it is wrapper which keeps fresh tickets
for long runing services)
> to /etc/nslcd.conf
> and restart nslcd, no one can connect to the database. Nothing works.
> ldapsearch and getent passwd draw a blank.
>
> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>
> gives me:
>
> dn:
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: NTLM
>
> but ldapsearch -Y GSSAPI gives:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Server not found in Kerberos database)
>
before you can do an SASL/GSSAPI based ldap operation you must have
> and restart nslcd, no one can connect to the database. Nothing works.
> ldapsearch and getent passwd draw a blank.
>
> ldapsearch -x -b '' -sbase supportedSASLMechanisms
>
> gives me:
>
> dn:
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: NTLM
>
> but ldapsearch -Y GSSAPI gives:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Server not found in Kerberos database)
>
valid kerberos tickets (so do a kinit first)!
> and Samba gives:
> Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:56859
> for ldap/hh3....@HH3.SITE [canonicalize, renewable]
> Kerberos: Searching referral for hh3.site
> Kerberos: Returning a referral to realm SITE for server
> ldap/hh3....@HH3.SITE that was not found
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>
> I've tried making a ldap principal but samba-tool spn doesn't let me
> add an ldap principal.
> Any ideas anyone?
>
> Thanks,
> Steve
Regards
> Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:56859
> for ldap/hh3....@HH3.SITE [canonicalize, renewable]
> Kerberos: Searching referral for hh3.site
> Kerberos: Returning a referral to realm SITE for server
> ldap/hh3....@HH3.SITE that was not found
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
> got 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
>
> I've tried making a ldap principal but samba-tool spn doesn't let me
> add an ldap principal.
> Any ideas anyone?
>
> Thanks,
> Steve
Geza
steve
Jan 18, 2012, 6:20:01 AM1/18/12
to
OK. Now on Ubuntu. I have k5init installed and have made a host principal:
klist -k /etc/host.keytab
Keytab name: WRFILE:/etc/host.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/HH3....@HH3.SITE
1 host/HH3....@HH3.SITE
1 host/HH3....@HH3.SITE
Just to be sure I have:
ls -la /etc/host.keytab
-rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab
cat /etc/default/nslcd
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/host.keytab
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_CCREFRESH=60
#K5START_PRINCIPAL="host/$(hostname -f)"
K5START_PRINCIPAL="host/HH3.SITE -f"
I did kinit Administrator and have a cache in /tmp/krbcc_0
cat /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://127.0.0.1
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
But:
service nslcd restart
* Restarting LDAP connection daemon
nslcd [ OK ]
* Stopping Keep alive Kerberos ticket
k5start No process in pidfile
'/var/run/nslcd/k5start_nslcd.pid' found running; none killed.
[ OK ]
* Starting Keep alive Kerberos ticket
k5start k5start: error getting
credentials: Client not found in Kerberos database
[fail]
[ OK ]
and Samba gives:
Kerberos: AS-REQ host/HH3....@HH3.SITE from ipv4:192.168.1.3:38618 for
krbtgt/HH3....@HH3.SITE
Kerberos: UNKNOWN -- host/HH3....@HH3.SITE: no such entry found in hdb
Why isn't the host principal being found?
Ahhgg!!
Where to start?
Any ideas?
Cheers,
Steve
Gémes Géza
Jan 18, 2012, 4:00:02 PM1/18/12
to
First of all /etc/host.keytab shouldn't be writable. But that is a
different story.
On the other hand kerberos could get confused by having a host principal
for the realm name (I've seen your realm is named HH3.SITE and your host
principal is host/HH3.SITE). I would create a special
nslcd-domain-account and extract the keytab for it, and use that
account+keytab. Or if you prefer create a host account for each host you
have and extract a keytab for each of them. The example I've sent you
uses the second method ($(hostname -f) returns the fqdn (if it is set in
/etc/hostname, a common mistake is to have just the first part set in
that file).
Another possible error sources could be:
K5START_PRINCIPAL="host/HH3.SITE -f" <- You definitely don't need a -f
there!
I wouldn't use a binddn with an sasl bind.
Regards
Geza
steve
Jan 19, 2012, 5:40:01 AM1/19/12
to
klist -k /etc/krb5.keytab | grep host-account
1 host-a...@HH3.SITE
1 host-a...@HH3.SITE
1 host-a...@HH3.SITE
cat /etc/default/nslcd
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host-a...@HH3.SITE"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
service nslcd restart
Kerberos: AS-REQ host-a...@HH3.SITE from ipv4:192.168.1.3:49240 for
krbtgt/HH3....@HH3.SITE
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- host-a...@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- host-a...@HH3.SITE
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
host-a...@HH3.SITE
Kerberos: AS-REQ host-a...@HH3.SITE from ipv4:192.168.1.3:35595 for
krbtgt/HH3....@HH3.SITE
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- host-a...@HH3.SITE
Kerberos: Looking for ENC-TS pa-data -- host-a...@HH3.SITE
Kerberos: ENC-TS Pre-authentication succeeded -- host-a...@HH3.SITE
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset endtime:
2012-01-19T21:19:01 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
service nslcd restart
* Restarting LDAP connection daemon
nslcd [ OK ]
* Stopping Keep alive Kerberos ticket
* Starting Keep alive Kerberos ticket
k5start [ OK ]
getent passwd
syslog gives:
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP server
ldap://hh3.hh3.site: Unknown authentication method: Operation now in
progress
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
samba gives:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
The only way I can bind is by removing the sasl_mech GSSAPI and giving
the binddn and bindpw in /etc/nslcd.conf
'So I'm stuck with 'Unknown authentication method'. Are we sure that
nslcd can bind using Kerbreros?
Thanks for your patience,
Steve
Gémes Géza
Jan 19, 2012, 12:40:03 PM1/19/12
to
Even if you are scared of death of samba-technical I'm posting it there
as well, maybe someone can answer the questions which arise when I tried
to check out your use case.
So I've tried first:
# ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
gives:
SASL/GSSAPI authentication started
SASL username: Admini...@KZSDABAS.HU
SASL SSF: 56
SASL data security layer installed.
No such object (32)
Additional information: empty base DN at
../source4/dsdb/samdb/ldb_modules/partition.c:617
and
# ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: Admini...@KZSDABAS.HU
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
supported
Result: Protocol error (2)
Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
So the question is does the Samba4 LDAP server support SASL/GSSAPI based
binding?
Cheers
Geza
steve
Jan 19, 2012, 1:00:01 PM1/19/12
to
Meanwhile, back with openSUSE some more progress:
Here is the original error:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-a...@HH3.SITE from ipv4:192.168.1.3:56661 for
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T18:28:38 starttime:
2012-01-19T18:34:01 endtime: 2012-01-20T04:28:38 renew till:
2012-01-20T18:28:32
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
So I extracted a keytab for ldap:
samba-tool spn add ldap/hh3.site host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site
klist -k /etc/ldap.keytab
Keytab name: WRFILE:/etc/ldap.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 ldap/hh3....@HH3.SITE
1 ldap/hh3....@HH3.SITE
1 ldap/hh3....@HH3.SITE
NOW the error has changed:
getent passwd gives:
ldb_wrap open of secrets.ldb
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
host-account has done a kinit and there is a cache in /tmp/krb5cc_0
/etc/nslcd.conf contains:
sasl_mech GSSAPI
#sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
I feel that this is soooo close now!
Cheers
Steve
steve
Jan 19, 2012, 1:20:02 PM1/19/12
to
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass
I'm working as client and host on the same box here. Could this be the
cause of the
Decrypt integrity check failed
??
I'm working as client and host on the same box here. Could this be the
cause of the
Decrypt integrity check failed
??
steve
Jan 19, 2012, 2:10:02 PM1/19/12
to
On 19/01/12 19:11, steve wrote:
> http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass
>
> I'm working as client and host on the same box here. Could this be the
> cause of the
> Decrypt integrity check failed
> ??
>
> Cheers
> Steve
Just to confirm:
> http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass
>
> I'm working as client and host on the same box here. Could this be the
> cause of the
> Decrypt integrity check failed
> ??
>
> Cheers
> Steve
samba-tool spn delete host
samba-tool spn add ldap/hh3.site host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site
kinit host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site
chmod 0644 /tmp/krb500_0
rcnslcd restart
samba gives:
ldb_wrap open of secrets.ldb
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T19:49:59 starttime:
2012-01-19T19:51:33 endtime: 2012-01-20T05:49:59 renew till:
2012-01-20T19:49:55
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
text): Decrypt integrity check failed
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
The key in the keytab is not the same as the key in the KDC
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
Why???
If we can answer that, we're there.
Cheers,
Andrew Bartlett
Jan 20, 2012, 12:10:02 AM1/20/12
to
The issue appears to be related to there being not 'base dn' being
specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
This behaviour may not match windows - if you can test against that,
please let us know the difference and we can sort it out. Base DN
specification and defaults changed mid last year.
> and
>
> # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
> SASL/GSSAPI authentication started
> SASL username: Admini...@KZSDABAS.HU
> SASL SSF: 56
> SASL data security layer installed.
> ldap_parse_result: Protocol error (2)
> additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
> supported
> Result: Protocol error (2)
> Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
>
> So the question is does the Samba4 LDAP server support SASL/GSSAPI based
> binding?
We support SASL/GSSAPI. We do not (patches very welcome) currently
support the extended operation ldapwhoami uses.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Gémes Géza
Jan 20, 2012, 12:50:01 AM1/20/12
to
Specifying the base dn was the problem, but that still doesn't explain
(although suggest that the problem lies with nslcd itself) the original
problem.
>> and
>>
>> # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
>> SASL/GSSAPI authentication started
>> SASL username: Admini...@KZSDABAS.HU
>> SASL SSF: 56
>> SASL data security layer installed.
>> ldap_parse_result: Protocol error (2)
>> additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
>> supported
>> Result: Protocol error (2)
>> Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported
>>
>> So the question is does the Samba4 LDAP server support SASL/GSSAPI based
>> binding?
> We support SASL/GSSAPI. We do not (patches very welcome) currently
> support the extended operation ldapwhoami uses.
>
> Andrew Bartlett
>
Cheers
Geza
steve
Jan 20, 2012, 2:00:02 AM1/20/12
to
>>> Hi,
>>>
>>> Even if you are scared of death of samba-technical I'm posting it there
>>> as well, maybe someone can answer the questions which arise when I tried
>>> to check out your use case.
>>> So I've tried first:
>>> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
>>>
>>> gives:
>>> SASL/GSSAPI authentication started
>>> SASL username: Admini...@KZSDABAS.HU
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> No such object (32)
>>> Additional information: empty base DN at
>>> ../source4/dsdb/samdb/ldb_modules/partition.c:617
>> The issue appears to be related to there being not 'base dn' being
>> specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
>>
>> This behaviour may not match windows - if you can test against that,
>> please let us know the difference and we can sort it out. Base DN
>> specification and defaults changed mid last year.
>>
> Thanks!
>
> Specifying the base dn was the problem, but that still doesn't explain
> (although suggest that the problem lies with nslcd itself) the original
> problem.
>
Hi
>>>
>>> Even if you are scared of death of samba-technical I'm posting it there
>>> as well, maybe someone can answer the questions which arise when I tried
>>> to check out your use case.
>>> So I've tried first:
>>> # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI
>>>
>>> gives:
>>> SASL/GSSAPI authentication started
>>> SASL username: Admini...@KZSDABAS.HU
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> No such object (32)
>>> Additional information: empty base DN at
>>> ../source4/dsdb/samdb/ldb_modules/partition.c:617
>> The issue appears to be related to there being not 'base dn' being
>> specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'.
>>
>> This behaviour may not match windows - if you can test against that,
>> please let us know the difference and we can sort it out. Base DN
>> specification and defaults changed mid last year.
>>
> Thanks!
>
> Specifying the base dn was the problem, but that still doesn't explain
> (although suggest that the problem lies with nslcd itself) the original
> problem.
>
Nothing:
hh3:/tmp # kinit Administrator
Password for Admini...@HH3.SITE:
Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012
ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y
GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
ldb_wrap open of secrets.ldb
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:52922 for
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3....@HH3.SITE that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3....@HH3.SITE that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SI...@HH3.SITE: no such
entry found in hdb
hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b
dc=hh3,dc=site -LLL -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:48616 for
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime:
2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till:
2012-01-21T07:47:56
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
And again the integrity check failed error.
text): Decrypt integrity check failed
Help!
Cheers,
Steve
steve
Jan 20, 2012, 5:30:02 AM1/20/12
to
gone. . . Nothing.
./source4/setup/provision --realm=site --domain=CACTUS
--adminpass=abc@1234 --server-role='domain controller'
kinit Administrator
Password for Administrator@SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 10:11:08 2012
hh3:/tmp # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SITE
Valid starting Expires Service principal
01/20/12 10:36:20 01/20/12 20:36:20 krbtgt/SITE@SITE
renew until 01/21/12 10:36:14
hh3:/tmp # ldapsearch -H ldap://192.168.1.3 cn=Administrator -b dc=site
-LLL -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: Administrator@SITE
SASL/GSSAPI authentication started
SASL SSF: 56
SASL data security layer installed.
dn: CN=Administrator,CN=Users,DC=site
SASL data security layer installed.
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20120120091108.0Z
whenChanged: 20120120091108.0Z
uSNCreated: 3544
uSNChanged: 3544
name: Administrator
objectGUID:: mGFPzUkB00u061KWBq0BbQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129715242680000000
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA1QO34Lt6TetRTPlg9AEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Administrator
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Administrators,CN=Builtin,DC=site
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=site
memberOf: CN=Enterprise Admins,CN=Users,DC=site
memberOf: CN=Schema Admins,CN=Users,DC=site
memberOf: CN=Domain Admins,CN=Users,DC=site
distinguishedName: CN=Administrator,CN=Users,DC=site
# refldap://site/CN=Configuration,DC=site
# refldap://site/DC=DomainDnsZones,DC=site
# refldap://site/DC=ForestDnsZones,DC=site
Still here?
samba-tool user add steve2
Next add rfc2307 stuff for steve2:
cat steve2.ldif
dn: cn=steve2,cn=Users,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 3000000
-
add: gidnumber
gidnumber: 100
-
add:unixhomedirectory
unixhomedirectory: /home/CACTUS/steve2
-
add: loginshell
loginshell: /bin/bash
ldapmodify -H 192.168.1.3 -W -D cn=Administrator,cn=Users,dc=site -f
steve2.ldif
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
and getent springs to life:
getent passwd steve2
steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
(gasps of general amazement etc.)
Finally, the kerberized bind works. steve2 can logon and get attributes
from LDAP _without_ the binddn and bindpw. For the record,
/etc/nslcd.conf looks like this:
uid nslcd-user
gid nslcd-user
uri ldap://192.168.1.3
base dc=site
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
krb5_ccname /tmp/krb5cc_0
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
Next stage: getting nslcd-user to be able to read the ticket and keep
the ticket up to date. I can't find k5start for openSUSE. I'll ask the
guys over at the suse list for that one.
If I get time, I'll go through this on Ubuntu (where Geza pointed me to
k5start).
Phew!
Steve.
Michael Wood
Jan 20, 2012, 6:50:02 AM1/20/12
to
Hi
On 20 January 2012 12:19, steve <st...@steve-ss.com> wrote:
[...]
Fine for testing or doing work as Administrator, but not what you want
to use for nslcd.
[...]
OK, so GSSAPI bind to Samba 4 works.
> samba-tool user add steve2
>
> Next add rfc2307 stuff for steve2:
[...]
chmod 644 /tmp/krb5cc_0
This is BAD! It means anyone on that machine will be able to do
anything as Administrator.
Better (but not the way you're supposed to do it) would be to chown
the file to the user that is running nslcd.
What you want to do is create a domain user for nslcd (separate from
the local user that the process runs as. i.e. it will probably need a
different username. This is just for authenticating against Samba.)
samba-tool user add nslcd-service
Now if you "kinit nslcd-service" and chown the file to the right UID,
nslcd should work as it did for Administrator. Still not quite right,
though, I think.
I think you want to create a service principal name, export it as a
keytab and then use that for nslcd, but this is where I am a bit
unsure.
> and getent springs to life:
> getent passwd steve2
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
> (gasps of general amazement etc.)
>
> Finally, the kerberized bind works. steve2 can logon and get attributes from
> LDAP _without_ the binddn and bindpw. For the record, /etc/nslcd.conf looks
> like this:
Is there no principal specified? Maybe it's not necessary.
[...]
nslcd as "nslcd-user", that's not the ticket cache you should be
using. Either you should be generating a new ticket cache (maybe
using k5start), maybe not in /tmp, with the right permissions and
where nslcd can use it.
> I can't find k5start for openSUSE. I'll ask the guys over
> at the suse list for that one.
Otherwise you could probably compile it yourself.
> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
> k5start).
--
Michael Wood <esio...@gmail.com>
On 20 January 2012 12:19, steve <st...@steve-ss.com> wrote:
[...]
> OK. Start from nothing. New checkout, /usr/local/samba deleted, keytabs
> gone. . . Nothing.
>
> ./source4/setup/provision --realm=site --domain=CACTUS --adminpass=abc@1234
> --server-role='domain controller'
>
> kinit Administrator
[...]
> gone. . . Nothing.
>
> ./source4/setup/provision --realm=site --domain=CACTUS --adminpass=abc@1234
> --server-role='domain controller'
>
> kinit Administrator
> hh3:/tmp # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator@SITE
[...]
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator@SITE
Fine for testing or doing work as Administrator, but not what you want
to use for nslcd.
[...]
OK, so GSSAPI bind to Samba 4 works.
> samba-tool user add steve2
>
> Next add rfc2307 stuff for steve2:
> wbinfo -i steve2
> CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
>
> Optimistically:
> getent passwd steve2
> _nothing_!
> But nslcd-user can't read the ticket.
> So:
> chmod 0644 /tmp/
Obviously you meant the following:
> CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
>
> Optimistically:
> getent passwd steve2
> _nothing_!
> But nslcd-user can't read the ticket.
> So:
> chmod 0644 /tmp/
chmod 644 /tmp/krb5cc_0
This is BAD! It means anyone on that machine will be able to do
anything as Administrator.
Better (but not the way you're supposed to do it) would be to chown
the file to the user that is running nslcd.
What you want to do is create a domain user for nslcd (separate from
the local user that the process runs as. i.e. it will probably need a
different username. This is just for authenticating against Samba.)
samba-tool user add nslcd-service
Now if you "kinit nslcd-service" and chown the file to the right UID,
nslcd should work as it did for Administrator. Still not quite right,
though, I think.
I think you want to create a service principal name, export it as a
keytab and then use that for nslcd, but this is where I am a bit
unsure.
> and getent springs to life:
> getent passwd steve2
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
> (gasps of general amazement etc.)
>
> Finally, the kerberized bind works. steve2 can logon and get attributes from
> LDAP _without_ the binddn and bindpw. For the record, /etc/nslcd.conf looks
> like this:
[...]
> Next stage: getting nslcd-user to be able to read the ticket and keep the
> ticket up to date.
Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
> ticket up to date.
nslcd as "nslcd-user", that's not the ticket cache you should be
using. Either you should be generating a new ticket cache (maybe
using k5start), maybe not in /tmp, with the right permissions and
where nslcd can use it.
> I can't find k5start for openSUSE. I'll ask the guys over
> at the suse list for that one.
> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
> k5start).
Michael Wood <esio...@gmail.com>
steve
Jan 20, 2012, 8:30:02 AM1/20/12
to
On 20/01/12 12:41, Michael Wood wrote:
Michael. Thanks for your comments. Getting there slowly but surely. Have
made some adjustments as in-line.
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
> Obviously you meant the following:
>
> chmod 644 /tmp/krb5cc_0
Yes. I should have copied it from the terminal rather than type it.
samba-tool user add nslcd-service
New Password:
User 'nslcd-service' created successfully
kinit nslcd-service
Password for nslcd-service@SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
rcnslcd restart
redirecting to systemctl
hh3:/tmp # getent passwd steve2
I know I should use a keytab, then presumably I'd not need to keep
refreshing the ticket using k5start. I really would like like to find
out how to do that. I've tried before. Thinking out loud, maybe this:
with getent passwd, samba gives this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for
ldap/hh3.site@SITE [canonicalize, renewable]
I tried removing /tmp/krbcc_0 and doing this:
hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
But:
Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_0' not found)
So the next qn. would be how do I tell nslcd to look in the keytab
rather than the cache file?
Or maybe go the k5start way. Don't know!
> Is there no principal specified? Maybe it's not necessary.
>
> [...]
Yes. I think this is it: ldap/hh3.site@SITE Pls see samba output above.
Steve
Michael. Thanks for your comments. Getting there slowly but surely. Have
made some adjustments as in-line.
wbinfo -i steve2
CACTUS\steve2:*:3000000:100::/home/CACTUS/steve2:/bin/bash
Optimistically:
getent passwd steve2
_nothing_!
But nslcd-user can't read the ticket.
So:
chmod 0644 /tmp/
> Obviously you meant the following:
>
> chmod 644 /tmp/krb5cc_0
>
> This is BAD! It means anyone on that machine will be able to do
> anything as Administrator.
>
> Better (but not the way you're supposed to do it) would be to chown
> the file to the user that is running nslcd.
>
> What you want to do is create a domain user for nslcd (separate from
> the local user that the process runs as. i.e. it will probably need a
> different username. This is just for authenticating against Samba.)
>
> samba-tool user add nslcd-service
>
> Now if you "kinit nslcd-service" and chown the file to the right UID,
> nslcd should work as it did for Administrator. Still not quite right,
> though, I think.
>
> I think you want to create a service principal name, export it as a
> keytab and then use that for nslcd, but this is where I am a bit
> unsure.
I did this:
> This is BAD! It means anyone on that machine will be able to do
> anything as Administrator.
>
> Better (but not the way you're supposed to do it) would be to chown
> the file to the user that is running nslcd.
>
> What you want to do is create a domain user for nslcd (separate from
> the local user that the process runs as. i.e. it will probably need a
> different username. This is just for authenticating against Samba.)
>
> samba-tool user add nslcd-service
>
> Now if you "kinit nslcd-service" and chown the file to the right UID,
> nslcd should work as it did for Administrator. Still not quite right,
> though, I think.
>
> I think you want to create a service principal name, export it as a
> keytab and then use that for nslcd, but this is where I am a bit
> unsure.
samba-tool user add nslcd-service
New Password:
User 'nslcd-service' created successfully
kinit nslcd-service
Password for nslcd-service@SITE:
Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
rcnslcd restart
redirecting to systemctl
hh3:/tmp # getent passwd steve2
steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
Seems to work OK.
I know I should use a keytab, then presumably I'd not need to keep
refreshing the ticket using k5start. I really would like like to find
out how to do that. I've tried before. Thinking out loud, maybe this:
with getent passwd, samba gives this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for
ldap/hh3.site@SITE [canonicalize, renewable]
I tried removing /tmp/krbcc_0 and doing this:
hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
--principal=ldap/hh3.site
But:
Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_0' not found)
So the next qn. would be how do I tell nslcd to look in the keytab
rather than the cache file?
Or maybe go the k5start way. Don't know!
> Is there no principal specified? Maybe it's not necessary.
>
> [...]
>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>> ticket up to date.
> Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
> nslcd as "nslcd-user", that's not the ticket cache you should be
> using.
Actually, kinit nslcd-service produced a file with the same name.
>> ticket up to date.
> Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
> nslcd as "nslcd-user", that's not the ticket cache you should be
> using.
> Either you should be generating a new ticket cache (maybe
> using k5start), maybe not in /tmp, with the right permissions and
> where nslcd can use it.
>
>> I can't find k5start for openSUSE. I'll ask the guys over
>> at the suse list for that one.
> Otherwise you could probably compile it yourself.
>
>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
>> k5start).
Thanks again.
> using k5start), maybe not in /tmp, with the right permissions and
> where nslcd can use it.
>
>> I can't find k5start for openSUSE. I'll ask the guys over
>> at the suse list for that one.
> Otherwise you could probably compile it yourself.
>
>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
>> k5start).
Steve
steve
Jan 20, 2012, 9:40:02 AM1/20/12
to
>>
>>> I can't find k5start for openSUSE. I'll ask the guys over
>>> at the suse list for that one.
>> Otherwise you could probably compile it yourself.
>>
>>> If I get time, I'll go through this on Ubuntu (where Geza pointed me to
>>> k5start).
> Thanks again.
> Steve
with it:
samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service
Then:
k5start -v -f /etc/nslcd.keytab -u nslcd-service -o nslcd-user -k
/tmp/krb5cc_0
Kerberos initialization for nslcd-service@SITE
k5start: authenticating as nslcd-service@SITE
k5start: getting tickets for krbtgt/SITE@SITE
It didn't ask for a password:)
A few bits of stuff.
This is not ideal. It renews every 5 mins, which too often. Probably
need some k5list --help
Maybe /tmp is a bad place to put the cache. On openSUSE (and probably
other distros), anyone can get in there and have a look around.
Don't get this:
ls -la /etc/nslcd.keytab
-rw------- 1 root root 178 Jan 20 15:19 /etc/nslcd.keytab
yet k5start can get at it.
I still think there must be a better way.
Cheers,
Michael Wood
Jan 20, 2012, 10:10:02 AM1/20/12
to
On 20 January 2012 15:23, steve <st...@steve-ss.com> wrote:
> On 20/01/12 12:41, Michael Wood wrote:
[...]
> On 20/01/12 12:41, Michael Wood wrote:
> I did this:
>
> samba-tool user add nslcd-service
> New Password:
> User 'nslcd-service' created successfully
> kinit nslcd-service
> Password for nslcd-service@SITE:
> Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
> hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
> rcnslcd restart
> redirecting to systemctl
> hh3:/tmp # getent passwd steve2
>
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
>
> Seems to work OK.
OK.
> I know I should use a keytab, then presumably I'd not need to keep
> refreshing the ticket using k5start. I really would like like to find out
> how to do that.
I'm starting to think that maybe a keytab is not the answer and
>
> samba-tool user add nslcd-service
> New Password:
> User 'nslcd-service' created successfully
> kinit nslcd-service
> Password for nslcd-service@SITE:
> Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012
> hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0
> rcnslcd restart
> redirecting to systemctl
> hh3:/tmp # getent passwd steve2
>
> steve2:x:3000000:100:steve2:/home/CACTUS/steve2:/bin/bash
>
> Seems to work OK.
OK.
> I know I should use a keytab, then presumably I'd not need to keep
> refreshing the ticket using k5start. I really would like like to find out
> how to do that.
k5start is. Maybe someone that knows more about Kerberos will
enlighten us, but it might make more sense to ask the question on a
Kerberos mailing list/forum.
> I've tried before. Thinking out loud, maybe this:
>
> with getent passwd, samba gives this:
> ldb_wrap open of secrets.ldb
> Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for
> ldap/hh3.site@SITE [canonicalize, renewable]
>
> I tried removing /tmp/krbcc_0 and doing this:
>
> hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service
>
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> --principal=ldap/hh3.site
> hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab
>
> But:
> Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_0' not found)
>
> So the next qn. would be how do I tell nslcd to look in the keytab rather
> than the cache file?
developers could clarify this?
> Or maybe go the k5start way. Don't know!
I've not tried it myself.
>>> Next stage: getting nslcd-user to be able to read the ticket and keep the
>>> ticket up to date.
>>
>> Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running
>> nslcd as "nslcd-user", that's not the ticket cache you should be
>> using.
>
> Actually, kinit nslcd-service produced a file with the same name.
what I meant when I said it was "root's ticket cache".
--
Michael Wood <esio...@gmail.com>
steve
Jan 20, 2012, 12:20:02 PM1/20/12
to
Extracted the keytab using samba-tool spn and k5start'ed from it:
k5start -v -f /etc/nslcd.keytab -U -o nslcd-user -K 360 -k /tmp/krb5cc_0
-v verbose
-f use keytab, not password
-o the user the file should be chown'ed to
-U Use the first principal in the keytab as the client principal
-K run as daemon <minutes between ticket updates>
-k name of ticket cache
The alternative would be:
k5start -v -u nslcd-service -U -o nslcd-user -K 360 -k /tmp/krb5cc_0
-u the user who needs to get the ticket
But this prompts for a password. I suppose the power of the keytab is
the kerberos magic that does it for you.
Next episode:
How to create the keytab on a Linux client without samba-tool installed.
Cheers,
Steve
steve
Jan 22, 2012, 9:40:02 AM1/22/12
to
This is with:
realm=site
rather than
realm=hh3.site
and the kerberized bind to the ldap works but nothing else on the
network. e.g. you cannot join machines to the domain because dns does
not find the realm. Is it a rule that the Kerberos realm has to be the
same as the dns name?
Back provisioning with realm=hh3.site (the fqdn), dns is working again
and I can join boxes to the domain again BUT the kerberized bind will
not work anymore and I'm back to:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ Admini...@HH3.SITE from ipv4:192.168.1.3:48616 for
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime:
2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till:
2012-01-21T07:47:56
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
even though I've made a ldap/hh3.site principal:
ldap/hh3....@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime:
2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till:
2012-01-21T07:47:56
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
--principal=ldap/hh3.site
Why do I get the
--principal=ldap/hh3.site
Decrypt integrity check failed
error?
(I can still connect un-kerberized by simply specifying the binddn and
bindpw in /etc/nslcd.conf)
Andrew Bartlett
Jan 26, 2012, 11:40:02 PM1/26/12
to
On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
> even though I've made a ldap/hh3.site principal:
> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> --principal=ldap/hh3.site
>
> Why do I get the
> Decrypt integrity check failed
> error?
Why do you keep doing this?
> even though I've made a ldap/hh3.site principal:
> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
> --principal=ldap/hh3.site
>
> Why do I get the
> Decrypt integrity check failed
> error?
What makes you think this is the right thing to do (so I can correct
whatever gave you this misconception).
Samba will not read /etc/ldap.keytab.
Samba uses the private keytab containing it's own machine account only.
Samba should not be contacted via the dns domain name, it should be
contacted by the fully qualified domain name.
The fact the dns domain name (hh3.site) resolves is an artefact of the
default AD DNS zone, but should not be used. If your client uses the
fully qualified name (dc.hh3.site), it will collect the correct ticket,
and Samba will decrypt it.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
steve
Jan 27, 2012, 2:50:01 AM1/27/12
to
On 01/27/2012 05:37 AM, Andrew Bartlett wrote:
> On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
>
>> even though I've made a ldap/hh3.site principal:
>> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
>> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
>> --principal=ldap/hh3.site
>>
>> Why do I get the
>> Decrypt integrity check failed
>> error?
> Why do you keep doing this?
>
> What makes you think this is the right thing to do (so I can correct
> whatever gave you this misconception).
>
> Samba will not read /etc/ldap.keytab.
>
> Samba uses the private keytab containing it's own machine account only.
> Samba should not be contacted via the dns domain name, it should be
> contacted by the fully qualified domain name.
>
> The fact the dns domain name (hh3.site) resolves is an artefact of the
> default AD DNS zone, but should not be used. If your client uses the
> fully qualified name (dc.hh3.site), it will collect the correct ticket,
> and Samba will decrypt it.
>
> Thanks,
>
> Andrew Bartlett
>
Hi
> On Sun, 2012-01-22 at 15:32 +0100, steve wrote:
>
>> even though I've made a ldap/hh3.site principal:
>> hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator
>> hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab
>> --principal=ldap/hh3.site
>>
>> Why do I get the
>> Decrypt integrity check failed
>> error?
> Why do you keep doing this?
>
> What makes you think this is the right thing to do (so I can correct
> whatever gave you this misconception).
>
> Samba will not read /etc/ldap.keytab.
>
> Samba uses the private keytab containing it's own machine account only.
> Samba should not be contacted via the dns domain name, it should be
> contacted by the fully qualified domain name.
>
> The fact the dns domain name (hh3.site) resolves is an artefact of the
> default AD DNS zone, but should not be used. If your client uses the
> fully qualified name (dc.hh3.site), it will collect the correct ticket,
> and Samba will decrypt it.
>
> Thanks,
>
> Andrew Bartlett
>
Thanks for pointing this out. It turned out that when I provisioned, I
had the fqdn wrong. Duh! I set that correctly in /etc/hosts,
reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked
and I could extract stuff I'd put into the s4 LDAP database so our Linux
users could connect.
I have still not been able to get winbind nor the fileserver working, so
I've added nfs4 for the Linux clients and there I did need to add a
principal for the kerberized nfs, otherwise the nfs server would not
start. It's a bit of a hack but it's good enough for us at the moment. I
got around the user id mappings as described here:
http://linuxcostablanca.blogspot.com/p/samba-4.html
Thanks for your time,
Steve
Andrew Bartlett
Jan 27, 2012, 3:40:02 AM1/27/12
to
account and give that account an SPN to allow other kerberos services to
work. You then extract the keytab entry into the keytab file the
service expects to use (quite possibly the system
default /etc/krb5.keytab).
> It's a bit of a hack but it's good enough for us at the moment. I
> got around the user id mappings as described here:
> http://linuxcostablanca.blogspot.com/p/samba-4.html
refer folks to the official HOWTO, as we can keep that up to date and
correct errors/misconceptions centrally that way.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
0 new messages