Hi After starting Samba 4, before anyone can do anything, Administrator has to do a kinit to get a new ticket. This creates a cache /tmp/krb5cc_0 with an expiry time. I've created a host principal and put it into the keytab: samba-tool spn add host someuser samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE How can I keep Samba 4 up without having to get a new Administrator ticket every 10 hours? Thanks, Steve
2012-01-11 23:48 keltez?ssel, steve ?rta:> Hi > After starting Samba 4, before anyone can do anything, Administrator > has to do a kinit to get a new ticket. This creates a cache > /tmp/krb5cc_0 with an expiry time. > > I've created a host principal and put it into the keytab: > samba-tool spn add host someuser > samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE > > How can I keep Samba 4 up without having to get a new Administrator > ticket every 10 hours? > > Thanks, > Steve > >That looks really strange. Could you send your smb.conf an output from ls -R /path/to/your/samba4/installation (assuming you aren't using some prepackaged version, but you've done a classic configure, make, make install). I've cc-ed samba-technical. Regards Geza
On 14 January 2012 01:28, steve <steve at steve-ss.com> wrote:> On 13/01/12 23:36, Michael Wood wrote: >> >> On 14 January 2012 00:01, steve<steve at steve-ss.com> ?wrote: >>> >>> On 13/01/12 19:22, G?mes G?za wrote: >> >> [...] >>>> >>>> It doesn't need to have anything to do with the host principal. You >>>> could have a very unique nslcd service account. >>> >>> Yes. I have that account: nslcd-user. I can create a keytab for >>> nslcd-user. >>> let's say nslcd-user.keytab. Now, what is the sytax of the line to add to >>> nslcd.conf? There seems to be no way to specify that. >> >> Does this not work, as per the link that G?za pointed you to earlier >> in this thread? >> >> krb5_ccname /var/run/nslcd/nslcd.tkt >> > No, 'fraid not. The only stuff in /var/run/nslcd are: > nslcd.pid ?socket > I've commented out the line and it still works without having a cache. I'd > still like to work it out though.No, you misunderstand. You create the keytab (e.g. to /var/run/nslcd/nslcd.tkt) and then tell nslcd where it is by using the krb5_ccname option. I don't know a huge amount about Kerberos, so I don't know what the difference is between a ticket/credentials cache and a keytab file. "ccname" == "credentials cache name" Hope the above helps :) -- Michael Wood <esiotrot at gmail.com>
On 14 January 2012 01:24, steve <steve at steve-ss.com> wrote:> On 13/01/12 23:46, Michael Wood wrote: >> >> On 13 January 2012 14:00, steve<steve at steve-ss.com> ?wrote: >> [...] >>> >>> OK >>> Getting somewhere. I've got rid of the Kerberos: Server not found in >>> database: krbtgt/SITE at HH3.SITE error. >>> >>> Now samba 4 is giving me this: >>> >>> ldb_wrap open of secrets.ldb >>> Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() >>> - >>> NT_STATUS_CONNECTION_DISCONNECTED' >>> single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() >>> - >>> NT_STATUS_CONNECTION_DISCONNECTED] >>> >>> and /var/log/messages this: >>> >>> Jan 13 12:19:39 hh3 nslcd[3465]: GSSAPI Error: Unspecified GSS failure. >>> ?Minor code may provide more information (Credentials cache permissions >>> incorrect) >> >> What are the permissions on /usr/local/samba, > > drwxr-xr-x 11 root root 4096 Jan 13 04:48 samba > drwxr-xr-x ?9 root root 4096 Jan 14 00:19 privateOK, although private could probably be a bit tighter.>> ?/usr/local/samba/private > > >> and /usr/local/samba/private/secrets.tdb? > > -rw------- ?1 root root ?1286144 Jan 13 04:51 secrets.ldbFine.>> ?And also your keytab and >> the directory it's in. > > drwxr-xr-x 118 root root ?12288 Jan 13 23:55 etc > -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytabThat's fine, but is that what nslcd is using?>>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] failed to bind to LDAP server >>> ldap://localhost: Local error >>> Jan 13 12:19:39 hh3 nslcd[3465]: [8b4567] no available LDAP server found >>> >>> Finally got the new git working. Something must have changed since the >>> last >>> checkout I used because I had to comment out the: >>> >>> sasl_mech GSSAPI >>> >>> in /etc/nslcd.conf >> >> This is probably related the the above error. ?i.e. it's refusing to >> use GSSAPI because you have bad permissions somewhere. >> > The perms are above, but it makes me none the wiser. Any ideas what these > permissions should be? What am I losing bu not using GSSAPI ? > Thanks > Steve-- Michael Wood <esiotrot at gmail.com>
On 14 January 2012 12:52, steve <steve at steve-ss.com> wrote:> On 14/01/12 03:19, Michael Wood wrote: >> >> On 14 January 2012 01:24, steve<steve at steve-ss.com> ?wrote:[...]>>> drwxr-xr-x 118 root root ?12288 Jan 13 23:55 etc >>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab >> >> That's fine, but is that what nslcd is using? > > Ah. Well spotted! The nslcd docs recommends you run it as a separate user, > so I created a user and group for nslcd and specified them in nslcd.conf. > nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is > that correct? (can't test it as am not by the DC at the moment)Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. -- Michael Wood <esiotrot at gmail.com>
On 01/15/2012 10:23 PM, Michael Wood wrote:> On 15 January 2012 18:32, steve<steve at steve-ss.com> wrote: >> On 01/15/2012 04:04 PM, Michael Wood wrote: >>> On 14 January 2012 12:52, steve<steve at steve-ss.com> wrote: >>>> On 14/01/12 03:19, Michael Wood wrote: >>>>> On 14 January 2012 01:24, steve<steve at steve-ss.com> wrote: >>> [...] >>>>>> drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc >>>>>> -rw------- 1 root root 1225 Jan 13 12:12 krb5.keytab >>>>> That's fine, but is that what nslcd is using? >>>> Ah. Well spotted! The nslcd docs recommends you run it as a separate >>>> user, >>>> so I created a user and group for nslcd and specified them in nslcd.conf. >>>> nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is >>>> that correct? (can't test it as am not by the DC at the moment) >>> Sounds likely. >>> >>> So you probably need to export a keytab for your nslcd principal to a >>> new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd >>> has permission to read it. No other user should have read access. >>> >> The problem is that I can't have a principal for nslcd. IOW I can't do this: >> samba-tool spn add nslcd some-user > I must admit that I don't know why you can't do something like this: > > # samba-tool user create nslcd-user --random-password > User 'nslcd-user' created successfully > # samba-tool spn add nslcd/hh3.hh3.site nslcd-user > # samba-tool spn list nslcd-user > nslcd-user > User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following > servicePrincipalName: > nslcd/hh3.hh3.site > # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab > # ls -l nslcd.keytab > -rw------- 1 root root 253 2012-01-15 23:10 nslcd.keytab > > If that works, try getting nslcd to use it. > >Hi Michael. The problem is this: root at hh3:/home/steve# samba-tool user add nslcd-user New Password: User 'nslcd-user' created successfully root at hh3:/home/steve# samba-tool spn add nslcd nslcd-user root at hh3:/home/steve# samba-tool domain exportkeytab nslcd.keytab --principal=nslcd/HH3.SITE ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) root at hh3:/home/steve# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) And finally, just for good measure: root at hh3:/home/steve# samba-tool domain exportkeytab --principal=nslcd/HH3.SITE nslcd.keytab ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) i.e., unlike host and nfs, nslcd cannot be made made into a principal to put in a keytab. Do you think that the host principal will take care of this even though it is in root:root /etc/krb5.keytab and nslcd is running as nslcd-user? Anyway, just 4 hours to go to see if the world collapses when steve2's ticket expires. Meanwhile, he's been creating and editing files on both win 7 and Linux clients without once being asked for a password. As you say, fingers crossed. Do I win 10 ?uros! Cheers, Steve
(apology. forgot to send only to list) On 01/16/2012 07:18 PM, steve wrote:> >> Well, either it will need to have the password hard coded in the >> config file like you have it at the moment, I believe, or it will need >> a ticket to access the directory. >> >>> Anyway, I've a 10 hour experiment in progress as on the other thread. >>> Fingers crossed! > Well, 24 hours later and nslcd is still running and still mapping uid > and gid's from LDAP both over the nfs4 network and on the Samba 4 > server itself. The /tmp/krbcc_0 ticket cache for steve2 got destroyed > at some stage but steve2 can still logon OK without doing a kinit. He > does of course have to give his password to logon, but not to access > anything else e.g his roaming profile on an nfs share. One annoying > thing is that on a Linux client, xscreensaver will not deactivate > using steve2's kerberos password. He's locked out. > > Cheers > Steve