On 01/18/2012 09:56 PM, Gémes Géza wrote:
2012-01-18 12:12 keltezéssel, steve írta:
On 01/17/2012 09:40 PM, Gémes Géza wrote:
Hi,
See comments inline:
Hi everyone
I'm trying to use kerberos to authenticate to Samba 4 ldap. At the
moment, I authenticate by specifying the binddn and password in
/etc/nslcd.conf and all works fine
If I add the line:
sasl_mech GSSAPI
That should suffice, but please note, that nslcd should also have access
to some kind of keytab, to authenticate itself.
This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is
looking like):
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to
GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host/$(hostname -f)"
And must have k5start installed (it is wrapper which keeps fresh tickets
for long runing services)
to /etc/nslcd.conf
and restart nslcd, no one can connect to the database. Nothing works.
ldapsearch and getent passwd draw a blank.
ldapsearch -x -b '' -sbase supportedSASLMechanisms
gives me:
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
but ldapsearch -Y GSSAPI gives:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Server not found in Kerberos database)
before you can do an SASL/GSSAPI based ldap operation you must have
valid kerberos tickets (so do a kinit first)!
and Samba gives:
Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:56859
for ldap/hh3.s...@hh3.site [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3.s...@hh3.site that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))):
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859
I've tried making a ldap principal but samba-tool spn doesn't let me
add an ldap principal.
Any ideas anyone?
Thanks,
Steve
Regards
Geza
Hi Geza
OK. Now on Ubuntu. I have k5init installed and have made a host
principal:
klist -k /etc/host.keytab
Keytab name: WRFILE:/etc/host.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 host/hh3.s...@hh3.site
1 host/hh3.s...@hh3.site
1 host/hh3.s...@hh3.site
Just to be sure I have:
ls -la /etc/host.keytab
-rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab
cat /etc/default/nslcd
# Defaults for nslcd init script
# Whether to start k5start (for obtaining and keeping a Kerberos ticket)
# By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI
# and krb5_ccname is set to a file-type ticket cache.
# Set to "yes" to force starting k5start, any other value will not start
# k5start.
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/host.keytab
K5START_CCREFRESH=60
#K5START_PRINCIPAL="host/$(hostname -f)"
K5START_PRINCIPAL="host/HH3.SITE -f"
I did kinit Administrator and have a cache in /tmp/krbcc_0
cat /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldap://127.0.0.1
base dc=hh3,dc=site
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map shadow uid sAMAccountName
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
But:
service nslcd restart
* Restarting LDAP connection daemon
nslcd [ OK ]
* Stopping Keep alive Kerberos ticket
k5start No process in pidfile
'/var/run/nslcd/k5start_nslcd.pid' found running; none killed.
[ OK ]
* Starting Keep alive Kerberos ticket
k5start k5start: error getting
credentials: Client not found in Kerberos database
[fail]
[ OK ]
and Samba gives:
Kerberos: AS-REQ host/hh3.s...@hh3.site from ipv4:192.168.1.3:38618
for krbtgt/hh3.s...@hh3.site
Kerberos: UNKNOWN -- host/hh3.s...@hh3.site: no such entry found in hdb
Why isn't the host principal being found?
Ahhgg!!
Where to start?
Any ideas?
Cheers,
Steve
Hi,
First of all /etc/host.keytab shouldn't be writable. But that is a
different story.
On the other hand kerberos could get confused by having a host principal
for the realm name (I've seen your realm is named HH3.SITE and your host
principal is host/HH3.SITE). I would create a special
nslcd-domain-account and extract the keytab for it, and use that
account+keytab. Or if you prefer create a host account for each host you
have and extract a keytab for each of them. The example I've sent you
uses the second method ($(hostname -f) returns the fqdn (if it is set in
/etc/hostname, a common mistake is to have just the first part set in
that file).
Another possible error sources could be:
K5START_PRINCIPAL="host/HH3.SITE -f"<- You definitely don't need a -f
there!
I wouldn't use a binddn with an sasl bind.
Regards
Geza
Progress:
klist -k /etc/krb5.keytab | grep host-account
1 host-acco...@hh3.site
1 host-acco...@hh3.site
1 host-acco...@hh3.site
cat /etc/default/nslcd
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host-acco...@hh3.site"
service nslcd restart
Kerberos: AS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:49240 for
krbtgt/hh3.s...@hh3.site
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- host-acco...@hh3.site
Kerberos: Looking for ENC-TS pa-data -- host-acco...@hh3.site
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
host-acco...@hh3.site
Kerberos: AS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:35595 for
krbtgt/hh3.s...@hh3.site
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- host-acco...@hh3.site
Kerberos: Looking for ENC-TS pa-data -- host-acco...@hh3.site
Kerberos: ENC-TS Pre-authentication succeeded -- host-acco...@hh3.site
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset endtime:
2012-01-19T21:19:01 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
service nslcd restart
* Restarting LDAP connection daemon
nslcd [ OK ]
* Stopping Keep alive Kerberos ticket
k5start [ OK ]
* Starting Keep alive Kerberos ticket
k5start [ OK ]
getent passwd
syslog gives:
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP server
ldap://hh3.hh3.site: Unknown authentication method: Operation now in
progress
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
samba gives:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
The only way I can bind is by removing the sasl_mech GSSAPI and giving
the binddn and bindpw in /etc/nslcd.conf
'So I'm stuck with 'Unknown authentication method'. Are we sure that
nslcd can bind using Kerbreros?
Thanks for your patience,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
