On 01/15/2012 04:17 PM, Michael Wood wrote:
Hi
On 15 January 2012 15:49, steve<st...@steve-ss.com> wrote:
Hi everyone
Version 4.0.0alpha18-GIT-bfc7481
I'm using nslcd to map Samba 4 users to uid:gid and home directory. At
startup I get this:
ldb_wrap open of secrets.ldb
WARNING: no socket to connect to
and /var/log/messages shows:
Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server
ldap://h
h3.site/: Can't contact LDAP server: Transport endpoint is not connected
Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found,
sleepi
ng 1 seconds
[...]
I don't know why the above happens, but...:
cat /etc/nslcd.conf
[...]
# The user and group nslcd should run as.
#uid nslcd
#gid nslcd
uid nslcd-user
gid nslcd-user
Just a guess, but this might cause a problem. I believe you created a
Samba user called nslcd-user and it looks like this is what you're
trying to use here. (Also, AD does not support using the same name
for a user and a group, I believe.)
So before nslcd starts fully it would need to look up those values,
but in order to do that it needs to talk to Samba. It seems to me
that this might be problematic. Maybe you should use a local Linux
user for running nslcd and just use the Samba nslcd-user account for
nslcd's authentication to Samba.
OK. I think you're correct there. I've deleted the Samba 4 user
nslcd-user and created a host principal instead (you can't create a
principal for just nslcd, but I thought that as it's running on the host
then, well. . .):
samba-tool user add host-account
samba-tool spn add host host account
samba-tool domain exportkeytab /etc/krb5.keytab --principal=/host/HH3.SITE
gives me the following keytab:
KVNO Principal
----
--------------------------------------------------------------------------
1 HH3$@HH3.SITE
1 HH3$@HH3.SITE
1 HH3$@HH3.SITE
1 administra...@hh3.site
1 administra...@hh3.site
1 administra...@hh3.site
1 host-acco...@hh3.site
1 host-acco...@hh3.site
1 host-acco...@hh3.site
1 dns-...@hh3.site
1 dns-...@hh3.site
1 dns-...@hh3.site
1 krb...@hh3.site
1 krb...@hh3.site
1 krb...@hh3.site
1 ste...@hh3.site
1 ste...@hh3.site
1 ste...@hh3.site
1 host/hh3.s...@hh3.site
1 host/hh3.s...@hh3.site
1 host/hh3.s...@hh3.site
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here.
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this
file.
bindpw 1234@Abc
I think if your Kerberos config is working correctly this should not
be necessary.
It seems as though the Samba 4 LDAP needs authentication. Without the
binddn and password I get:
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user []\[]@[(null)]
auth_check_password_send: mapped user is: []\[]@[(null)]
and getent passwd fails to show the Samba 4 users. With the binddn and
passwd:
ldb_wrap open of secrets.ldb
auth_check_password_send: Checking password for unmapped user
[CACTUS]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [CACTUS]\[Administrator]@[(null)]
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
getent springs to life and all is well.
#sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0
Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's
SPN to it and making sure nslcd can read it.
That seems impossible to do. But I'll return here if what I've done so
far doesn't work. I think this comes down to the differences between
kerberos user accounts, with passwords, and kerberos machine accounts
without passwords but with principals instead. Does that make sense?
All seems well. steve2 can login both here on the server, on an openSUSE
client and on a win 7 client, so he must have a ticket somewhere. klist
gives:
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
so the tickets must be stored internally somewhere or maybe somewhere in
Australia;)
After
kinit steve2
Password for ste...@hh3.site:
Warning: Your password will expire in 40 days on Fri Feb 24 18:37:06 2012
and
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ste...@hh3.site
Valid starting Expires Service principal
01/15/12 16:58:00 01/16/12 02:58:00 krbtgt/hh3.s...@hh3.site
renew until 01/16/12 16:57:54
It looks as though steve2 is good for 10 hours. What is the significance
of Default principal? Surely, if I have created a host principal then I
want that to be the default principal. Otherwise, everything will
collape in 10 hours unless steve2 gets another ticket!
My next question is, will the host principal keep nslcd alive beyond
then? The other bit is that I created the keytab on the Linux client using
net ads keytab create
after
net ads join
with a minimalist smb.conf containing just domain=, security= and realm=
I wonder if that's enough to keep nslcd up on the client too after
steve2's ticket has expired.
Ahhggh. My brain hurts!
Thanks for your patience Michael.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
