Since I couldn't get 10.04 to work, I built a server with the base 12.04 install, added the required packages per the documents suggested earlier except I didn't install any samba packages. This has worked and I can now log onto the new server with all the original accounts. I have no idea why 10.04 didn't work except for the warning about sasl not being complete ...
----- Original Message ----- From: dahopk...@comcast.net To: "steve" <st...@steve-ss.com> Cc: samba@lists.samba.org Sent: Friday, July 26, 2013 11:23:33 AM Subject: Re: [Samba] Question on approach to authenticate Linux against Samba4 Thank you for the help ... seems like almost there but .. short version .. getent passwd doesn't retrieve any information from the samba4 DC. Seems that nslcd tries to use a simple bind and not kerberos but I think I have nslcd.conf set correctly. Rest of story, see below. >For good measure add the DC to /etc/hosts on the client. Done >> Step 6: I already have samba-common, and samba-common-bin (latest for >> 10.04) installed. The directions I'm following have two different locations for the ticket cache ... shouldn't make difference as long as I am consistent in specifying where the tickets are located. I also had to install kstart on 10.04 > 10.04 . Did these go in OK? > sasl2-bin libsasl2-2 libsasl2-modules libsasl2-modules-gssapi-mit There weren't any errors in the log for installing these. But authentication still isn't working I can start nslcd and get the warning about sasl_mech and sasl_realm Starting nslcd from the command line, there is an error concerning /var/run/nslcd/socket but not sure if this is the issue. >nslcd -d nslcd: DEBUG: add_uri(ldap://10.179.2.25/) nslcd: /etc/nslcd.conf:18: option sasl_mech is currently not fully supported (please report any successes) nslcd: /etc/nslcd.conf:19: option sasl_realm is currently not fully supported (please report any successes) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(130) done nslcd: DEBUG: setuid(125) done nslcd: accepting connections I can then try getent passwd but that also fails (getent only returns the local accounts) ... nslcd returns the following: .... nslcd: [334873] DEBUG: connection from pid=6647 uid=0 gid=0 nslcd: [334873] DEBUG: nslcd_passwd_all() nslcd: [334873] DEBUG: myldap_search(base="dc=ncs,dc=k12,dc=de,dc=us", filter="(objectClass=posixAccount)") nslcd: [334873] DEBUG: ldap_initialize(ldap://10.179.2.25/) nslcd: [334873] DEBUG: ldap_set_rebind_proc() nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.179.2.25/";) nslcd: [334873] connected to LDAP server ldap://10.179.2.25/ nslcd: [334873] ldap_result() failed: Operations error I'm going to guess it is the simple bind but I'm not sure how to force use of kerberos. I can get tickets for any valid account, but I am missing something for the authentication. nslcd is using the keytab to get tickets. My pre-existing ldap approach had allowed the simple bind, but how to now change for kerberos? > > I'd assume I need to uninstall these and install samba4 instead > >(especially as step 8 is to join the domain). >No. You only need enough of samba on the client to get the net command >to join the domain. Any old version of samba will do. What you have is >more than enough. Joining the domain works .. net ads info returns: >net ads info LDAP server: 10.179.2.25 LDAP server name: ncssamba1.ncs.k12.de.us Realm: NCS.K12.DE.US Bind Path: dc=NCS,dc=K12,dc=DE,dc=US LDAP port: 389 Server time: Fri, 26 Jul 2013 10:11:49 EDT KDC server: 10.179.2.25 Server time offset: 0 In nslcd.conf, I have map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm NCS.K12.DE.US krb5_ccname /tmp/nslcd.tkt Note: I'm not sure why the attribute is sAMAccountName instead of samAccountName but that is what is shown if I dump the ldap database via slapcat. Also, I can change passwords as well as all other information using ADUC on a Windows 2008 server without issues. Just can't seem to figure out how to get nslcd to bind correctly. Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
