On 30/12/11 13:09, steve wrote:
On 30/12/11 09:38, steve wrote:
On 29/12/11 19:14, Gémes Géza wrote:
2011-12-29 12:56 keltezéssel, steve írta:
On 29/12/11 11:58, Gémes Géza wrote:
2011-12-29 10:11 keltezéssel, steve írta:
On 29/12/11 10:00, steve wrote:
On 28/12/11 21:59, Bernd Markgraf wrote:
You should create a user in AD for nss-ldap and extract a keytab
for it
(samba-tool domain exportkeytab --principal=....) and configure
nss-ldap
to use that keytab for authenticating. Most probably you aren't
allowed
to bind anonymously to your AD server (you can try with
ldapsearch -x)
LDAP works with an anonymous bind. You need the Kerberos keytab
for
authentication though.
steve@hh3:~> ldapsearch -x
# extended LDIF
#
# LDAPv3
# base<DC=hh3,DC=site> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00002020: Operation unavailable without authentication
# numResponses: 1
I found this usage:
samba-tool export keytab PATH_TO_KEYTAB
How can I find my PATH_TO_KEYTAB
?
Thanks
Can't get the syntax right:
samba-tool domain exportkeytab /var/lib/named/master --principal
Usage: samba-tool domain exportkeytab<keytab> [options]
samba-tool domain exportkeytab: error: --principal option
requires an
argument
samba-tool domain exportkeytab
/path/to/the/keytab/file/you/want/to/create/or/update
--principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract
Regards
Geza
Tried:
samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4
restarted samba but:
su steve4
su: user steve4 does not exist
Am I getting close or should I give up now?!
Steve
You still need to configure nss-ldap to do a kerberized bind.
I've found example configurations for nslcd (the daemon part of
nss-ldapd a fork of nss-ldap) at:
http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html
http://ubuntuforums.org/archive/index.php/t-1335022.html
Regards
Geza
phew. That's a biggie.
I have nslcd installed. I've looked at the links and it seems as
though I need this in /etc/nslcd.conf
uri ldap://127.0.0.1/
base dc=hh3,dc=site
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /dont/know
It's the krb5_ccname I can't get.
I have:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ste...@hh3.site
Valid starting Expires Service principal
12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site
renew until 12/31/11 09:27:12
The link you gave suggests:
krb5_ccname /var/run/nslcd/nslcd.tkt
But doesn't say where that came from.
Any ideas?
Saludos
Steve
Well, using nslcd, I have finally got through to the Samba 4 LDAP (
getent passwd works and steve4 can finally login
The next bit is this:
getent passwd does not show the home directory:
steve4:x:3000019:100:steve4::/bin/bash
even though I can see it in the ldap ldif
steve4 gets logged into / but changing to /home/CACTUS/steve4 allows
him to create and edit files correctly and with the correct permissions.
Any ideas?
Thanks
Steve.
Found it:
map passwd homeDirectory unixHomeDirectory
so /etc/nslcd.conf looks like this:
uri ldap://127.0.0.1/
base dc=hh3,dc=site
map passwd homeDirectory unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba