On 01/15/2012 10:23 PM, Michael Wood wrote:
On 15 January 2012 18:32, steve<st...@steve-ss.com> wrote:
On 01/15/2012 04:04 PM, Michael Wood wrote:
On 14 January 2012 12:52, steve<st...@steve-ss.com> wrote:
On 14/01/12 03:19, Michael Wood wrote:
On 14 January 2012 01:24, steve<st...@steve-ss.com> wrote:
[...]
drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc
-rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab
That's fine, but is that what nslcd is using?
Ah. Well spotted! The nslcd docs recommends you run it as a separate
user,
so I created a user and group for nslcd and specified them in nslcd.conf.
nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is
that correct? (can't test it as am not by the DC at the moment)
Sounds likely.
So you probably need to export a keytab for your nslcd principal to a
new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd
has permission to read it. No other user should have read access.
The problem is that I can't have a principal for nslcd. IOW I can't do this:
samba-tool spn add nslcd some-user
I must admit that I don't know why you can't do something like this:
# samba-tool user create nslcd-user --random-password
User 'nslcd-user' created successfully
# samba-tool spn add nslcd/hh3.hh3.site nslcd-user
# samba-tool spn list nslcd-user
nslcd-user
User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following
servicePrincipalName:
nslcd/hh3.hh3.site
# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab
# ls -l nslcd.keytab
-rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab
If that works, try getting nslcd to use it.
Hi Michael. The problem is this:
root@hh3:/home/steve# samba-tool user add nslcd-user
New Password:
User 'nslcd-user' created successfully
root@hh3:/home/steve# samba-tool spn add nslcd nslcd-user
root@hh3:/home/steve# samba-tool domain exportkeytab nslcd.keytab
--principal=nslcd/HH3.SITE
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
root@hh3:/home/steve# samba-tool domain exportkeytab
--principal=nslcd/hh3.hh3.site nslcd.keytab
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
And finally, just for good measure:
root@hh3:/home/steve# samba-tool domain exportkeytab
--principal=nslcd/HH3.SITE nslcd.keytab
ERROR(runtime): uncaught exception - Key table entry not found
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 88, in run
net.export_keytab(keytab=keytab, principal=principal)
i.e., unlike host and nfs, nslcd cannot be made made into a principal to
put in a keytab. Do you think that the host principal will take care of
this even though it is in root:root /etc/krb5.keytab and nslcd is
running as nslcd-user?
Anyway, just 4 hours to go to see if the world collapses when steve2's
ticket expires. Meanwhile, he's been creating and editing files on both
win 7 and Linux clients without once being asked for a password. As you
say, fingers crossed. Do I win 10 €uros!
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
