Thanks for the answer will check soon. Joining the machine actually works as far as I understand: it creates the computer object in LDAP and is visible in the AD management utility.
But it doesn't write any local /etc/krb5.keytab, which I assume SSSD or the krb5-tools will use, not? Want to try your additional smb.conf parameters and I'll come back to you Thanks a lot so far Cheers Josh -----Ursprüngliche Nachricht----- Von: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel-boun...@lists.fedorahosted.org] Im Auftrag von John Hodrien Gesendet: Mittwoch, 23. November 2011 22:30 An: Development of the System Security Services Daemon Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question On Wed, 23 Nov 2011, Josh Geisser wrote: > Hi list > > I'm sure I have gabs of understanding of how to use SSSD without using plain > binding-user credentials in the configfile. I followed the guide for Win2008 > allthough I only have 2003 SFU - would that work? AFAIK, yes. I've certainly contributed that with 2003 in mind. > - I see it right that GSSAPI should enable looking up stuff in the LDAP > using a machine-account instead of the binding-user/passwd? Yes. I think that's the best way to do it. > - Kerberos (which has the machine-auth-ticket) comes into play for LDAP, but > this exceeds the basic LDAP authentication (eg. Auth via Kerberos on the > LDAP server)? Is this enough to feed nsswitch (e.g. getent) or is an > additional valid user/pass still required? I'm not sure I follow. You don't need anything other than the valid keytab. > The trouble I'm having here is the ktpasswd.exe generated-key is always > dated at 01/01/70 01:00:00 which I guess is also the reason why ldapsearch > -Y GSSAPI and kinit fail? 2003 behaviour? Personally I'd not use ktpasswd and follow the "Creating Service Keytab with Samba" section. All in I'd say that's much easier when you're dealing with lots of machines, and it doesn't require Domain Administrator rights. You need samba installed (anything >3.0 should work fine with 2003 AFAIK) and a correct smb.conf (and krb5.conf). I /think/ this would be sufficient: [global] workgroup = YOURDOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = your.kdc.net realm = YOURFULLKERBEROSDOMAIN security = ads > The krb and ldap configuration works quite fine with bind-dn, just > struggeling with SASL/GSSAPI. Just us know how you get get on, jh _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel -- ---- ASG at hnet _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
