Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect

Thu, 19 Jan 2012 09:56:36 -0800 

On 19/01/12 18:35, Gémes Géza wrote:



Progress:
  klist -k /etc/krb5.keytab | grep host-account
    1 host-acco...@hh3.site
    1 host-acco...@hh3.site
    1 host-acco...@hh3.site

cat /etc/default/nslcd
K5START_START="yes"
# Options for k5start.
K5START_BIN=/usr/bin/k5start
K5START_KEYTAB=/etc/krb5.keytab
K5START_CCREFRESH=60
K5START_PRINCIPAL="host-acco...@hh3.site"

service nslcd restart
Kerberos: AS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:49240 for
krbtgt/hh3.s...@hh3.site
Kerberos: Client sent patypes: 149
Kerberos: Looking for PKINIT pa-data -- host-acco...@hh3.site
Kerberos: Looking for ENC-TS pa-data -- host-acco...@hh3.site
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
host-acco...@hh3.site
Kerberos: AS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:35595 for
krbtgt/hh3.s...@hh3.site
Kerberos: Client sent patypes: encrypted-timestamp, 149
Kerberos: Looking for PKINIT pa-data -- host-acco...@hh3.site
Kerberos: Looking for ENC-TS pa-data -- host-acco...@hh3.site
Kerberos: ENC-TS Pre-authentication succeeded -- host-acco...@hh3.site
using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset
endtime: 2012-01-19T21:19:01 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok

  service nslcd restart
  * Restarting LDAP connection daemon
nslcd                               [ OK ]
  * Stopping Keep alive Kerberos ticket
k5start                           [ OK ]
  * Starting Keep alive Kerberos ticket
k5start                           [ OK ]

getent passwd
syslog gives:
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP
server ldap://hh3.hh3.site: Unknown authentication method: Operation
now in progress
Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found
samba gives:
ldb_wrap open of secrets.ldb
Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

The only way I can bind is by removing the sasl_mech GSSAPI and giving
the binddn and bindpw in /etc/nslcd.conf

'So I'm stuck with 'Unknown authentication method'. Are we sure that
nslcd can bind using Kerbreros?

Thanks for your patience,
Steve

Hi,

Even if you are scared of death of samba-technical I'm posting it there
as well, maybe someone can answer the questions which arise when I tried
to check out your use case.
So I've tried first:
# ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI

gives:
SASL/GSSAPI authentication started
SASL username: administra...@kzsdabas.hu
SASL SSF: 56
SASL data security layer installed.
No such object (32)
Additional information: empty base DN at
../source4/dsdb/samdb/ldb_modules/partition.c:617

and

# ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: administra...@kzsdabas.hu
SASL SSF: 56
SASL data security layer installed.
ldap_parse_result: Protocol error (2)
     additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not
supported
Result: Protocol error (2)
Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported

So the question is does the Samba4 LDAP server support SASL/GSSAPI based
binding?

Cheers

Thanks Geza. You're a star.

Meanwhile, back with openSUSE some more progress:

Here is the original error:

ldb_wrap open of secrets.ldb

Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:56661 for 
ldap/hh3.s...@hh3.site [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T18:28:38 starttime: 
2012-01-19T18:34:01 endtime: 2012-01-20T04:28:38 renew till: 
2012-01-20T18:28:32
GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed


So I extracted a keytab for ldap:

samba-tool spn add ldap/hh3.site host-account
samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site
klist -k /etc/ldap.keytab
Keytab name: WRFILE:/etc/ldap.keytab
KVNO Principal

---- 
--------------------------------------------------------------------------

   1 ldap/hh3.s...@hh3.site
   1 ldap/hh3.s...@hh3.site
   1 ldap/hh3.s...@hh3.site

NOW the error has changed:
getent passwd gives:

ldb_wrap open of secrets.ldb

GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see 
text): Decrypt integrity check failed


host-account has done a kinit and there is a cache in /tmp/krb5cc_0
/etc/nslcd.conf contains:
sasl_mech GSSAPI
#sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0

I feel that this is soooo close now!
Cheers
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to