Hi everyone
I'm using nslcd to connect to Samba 4 LDAP. If I specify the binddn and
bindpw in /etc/nslcd.conf no problem getent passwd works and everything
is mapped just fine.
But when I try try to do a kerberized bind to Samba 4 LDAP, I get this:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:33002 for
ldap/hh3.s...@hh3.site [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
ldap/hh3.s...@hh3.site that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:33002
OK fine. So I use samba-tool to make a principal ldap/hh3.site and stick
it in a keytab. I use kinit to get a ticket for the principal holder.
Now that it can find the principal I get this error:
ldb_wrap open of secrets.ldb
Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:33982 for
ldap/hh3.s...@hh3.site [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-01-19T23:22:44 starttime:
2012-01-19T23:25:59 endtime: 2012-01-20T09:22:44 renew till:
2012-01-20T23:22:38
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Decrypt integrity check failed
I think that this has something to do with what the KDC has and what the
keytab has. The KDC and the keytab are on the same openSUSE machine.
Deleting the principal brings me back to the first error and recreating
it to the second.
Can any Kerberos gurus help me with this one?
Thanks
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
