Quinn Plattel
2012-Jul-12 08:41 UTC
[Samba] nslcd service - "Client not found in Kerberos database"
Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt I have added the host principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the client by using ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keytab. "hostname -f" gives me the fully qualified domain name for the client. If I restart the nslcd service, I get the following error on the client: * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database On the samba4 server side, in the /var/log/samba/log.samba file, I get following errors: Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: 10.45.1.55:34456 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb It says "no such entry found in hdb", does hdb refer to the /etc/krb5.keytab principal database or is it referring to a database that I don't know about? Note: I have put spaces around all "@" so the list does not interpret them as e-mail addresses. br, Quinn
Quinn Plattel
2012-Jul-12 09:07 UTC
[Samba] nslcd service - "Client not found in Kerberos database"
ok, I did a simple GSSAPI test on the client with ldapsearch using "ldapsearch -Y GSSAPI" and I get "Server not found in Kerberos database". In log.samba on the server, it gives: Kerberos: TGS-REQ user @ MYDOMAIN.NET from ipv4:10.45.1.55:48879 for ldap/ ubuntu-test.mydomain.net @ MYDOMAIN.NET [renewable, proxiable, forwardable] Kerberos: Server not found in database: ldap/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:10.45.1.55:48879 I have added "ldap/ubuntu-test.mydomain.net @ MYDOMAIN.NET" into the server's /etc/krb5.keytab file using ktutil but the error still comes up. It is as if Kerberos is not checking /etc/krb5.keytab file. Any ideas? br, Quinn On Thu, Jul 12, 2012 at 10:41 AM, Quinn Plattel <qiet72 at gmail.com> wrote:> Hi, > > I am trying to configure the nslcd service on an Ubuntu client for > kerberos authentication against samba4. My /etc/nslcd.conf contains the > following: > > uid nslcd > gid nslcd > uri ldapi:///cofil01.mydomain.net > base dc=mydomain,dc=net > sasl_mech GSSAPI > krb5_ccname FILE:/tmp/host.tkt > > I have added the host principal "host/ubuntu-test.mydomain.net @ > MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the > client by using ktutil. I have confirmed that the principals exist on both > machines by using klist -ke /etc/krb5.keytab. > "hostname -f" gives me the fully qualified domain name for the client. > > If I restart the nslcd service, I get the following error on the client: > * Starting Keep alive Kerberos ticket k5start > k5start: error getting credentials: Client not found in Kerberos database > > On the samba4 server side, in the /var/log/samba/log.samba file, I get > following errors: > Kerberos: AS-REQ host/ubuntu-test.mydomain.net @ MYDOMAIN.NET from ipv4: > 10.45.1.55:34456 for krbtgt/MYDOMAIN.NET @ MYDOMAIN.NET > Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no > such entry found in hdb > > It says "no such entry found in hdb", does hdb refer to the > /etc/krb5.keytab principal database or is it referring to a database that I > don't know about? > > Note: I have put spaces around all "@" so the list does not interpret them > as e-mail addresses. > > > br, > Quinn >
steve
2012-Jul-12 13:08 UTC
[Samba] nslcd service - "Client not found in Kerberos database"
On 12/07/12 10:41, Quinn Plattel wrote:> Hi, > > I am trying to configure the nslcd service on an Ubuntu client for kerberos > authentication against samba4. My /etc/nslcd.conf contains the following: > > uid nslcd > gid nslcd > uri ldapi:///cofil01.mydomain.net > base dc=mydomain,dc=net > sasl_mech GSSAPI > krb5_ccname FILE:/tmp/host.tktHi Quinn It can't authenticate because it doesn't know which principal to use. 1.Include the realm after the GSSAPI line: sasl_realm MYDOMAIN.NET 2. Create an AD user e.g. nslcd-service samba-tool user add nslcd-service 3. extract the keytab: samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service 4.edit /etc/default/nslcd to contain: K5START_START="no" 5. start the service k5start -f /etc/nslcd.keytab -U -o nslcd -K 540 -k /tmp/host.tkt & service nslcd start That's it. HTH Cheers, Steve