Steve,
An alternate workaround to steps 3,4,5 is to do the following:
3: samba-tool domain exportkeytab /etc/krb5.keytab --principal=nslcd-service
4: edit /etc/default/nslcd and add the line:
K5START_PRINCIPAL=nslcd-service
5: start nslcd with service nslcd start
So now we have two principals we
On 16/07/12 15:18, Quinn Plattel wrote:
Steve,
An alternate workaround to steps 3,4,5 is to do the following:
3: samba-tool domain exportkeytab /etc/krb5.keytab --principal=nslcd-service
4: edit /etc/default/nslcd and add the line:
K5START_PRINCIPAL=nslcd-service
5: start nslcd with service
Hi,
I am trying to configure the nslcd service on an Ubuntu client for kerberos
authentication against samba4. My /etc/nslcd.conf contains the following:
uid nslcd
gid nslcd
uri ldapi:///cofil01.mydomain.net
base dc=mydomain,dc=net
sasl_mech GSSAPI
krb5_ccname FILE:/tmp/host.tkt
I have added
ok, I did a simple GSSAPI test on the client with ldapsearch using
ldapsearch -Y GSSAPI and I get Server not found in Kerberos database.
In log.samba on the server, it gives:
Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:48879 for ldap/
ubuntu-test.mydomain.net @ MYDOMAIN.NET
On 12/07/12 10:41, Quinn Plattel wrote:
Hi,
I am trying to configure the nslcd service on an Ubuntu client for kerberos
authentication against samba4. My /etc/nslcd.conf contains the following:
uid nslcd
gid nslcd
uri ldapi:///cofil01.mydomain.net
base dc=mydomain,dc=net
sasl_mech GSSAPI
Hi Steve,
Thanks for the info - that helps a lot!
I can see that the /etc/init.d/nslcd script in Ubuntu needs modifying in
order for k5start to work. It uses -u to specify an alternate principal
which you don't use in your example.
The script uses host/client.example.com as an alternate
On 12/07/12 20:30, Quinn Plattel wrote:
Hi Steve,
Thanks for the info - that helps a lot!
I can see that the /etc/init.d/nslcd script in Ubuntu needs modifying in
order for k5start to work. It uses -u to specify an alternate principal
which you don't use in your example.
The script uses