On Sat, 2013-10-26 at 12:08 +1100, me at electronico.nc
wrote:> Hi all,
>
> Well, I'm completely lost with AD authentification ...
>
> server is :
> Ubuntu 12.04.3 3.8.0-32-generic #47~precise1-Ubuntu
> Samba 4.0.10 installed (and upgraded) via git, setup as unique Active
> Directory Domain Controller
> ( -> how to upgrade to 4.1 via git ?? )
>
> I 'just' would like that the local services (let's say only
dovecot and
> postfix) can query AD to authentifiate users.
>
> All services are running on the Ubuntu server (samba AD/DC), no other
> linux box for now.
>
> 1 Windows VM has been setup on server to make AD tasks using
> Administrator account.
>
> Trying to use nslcd + kerberos :
Who are the users you wish to authenticate? According to the following,
they are domain users who have their rfc2307 attributes stored in AD. Is
this the case?
>
> created a user in AD:
> samba-tool user add ldap My_secret_password
> samba-tool user setexpiry ldap --noexpiry
>
> created spn and exported keytab:
> samba-tool spn add nslcd/serveur.radiodjiido.nc ldap
Remove this sp. nslcd is not a service.
> samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap
> chown nslcd:root /etc/krb5.nslcd.keytab
> chmod 600 /etc/krb5.nslcd.keytab
>
> configured nslcd:
> grep ^[^#] /etc/nslcd.conf
> ->
> uid nslcd
> gid nslcd
> uri ldap://serveur.radiodjiido.nc
> base DC=radiodjiido,DC=nc
> map passwd uid samAccountName
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> sasl_mech GSSAPI
> sasl_realm RADIODJIIDO.NC
> krb5_ccname /tmp/nslcd.tkt
>
> checking that k5start is well running:
> ps ax | grep k5
> ->
> 2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o
> nslcd -K 540 -k /tmp/nslcd.tkt
>
> klist
> ->
> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
> Default principal: serveur at RADIODJIIDO.NC
> Valid starting Expires Service principal
> 26/10/2013 10:11:34 26/10/2013 20:11:34
> krbtgt/RADIODJIIDO.NC at RADIODJIIDO.NC
> renew until 27/10/2013 10:11:34
>
> grep ^[^#] /etc/krb5.conf
> ->
Does /tmp/nslcd.tkt exist after you start nslcd?
Please use the krb5.conf file that was produced by the samba4 provision.
It can be found in /usr/local/samba/private/krb5.conf
> [libdefaults]
> default_realm = RADIODJIIDO.NC
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
> [realms]
> RADIODJIIDO.NC = {
> kdc = serveur
> admin_server = serveur
> }
> [domain_realm]
> .radiodjiido.nc = RADIODJIIDO.NC
> radiodjiido.nc = RADIODJIIDO.NC
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> syslog shows :
> ->
> Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca]
> <passwd="radiodjiido\administrator"> failed to bind to LDAP
server
> ldap://serveur.radiodjiido.nc: Local error
> Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca]
> <passwd="radiodjiido\administrator"> no available LDAP
server found:
> Local error
> Oct 26 11:09:36 serveur nslcd[2978]: [90700b]
> <passwd="RADIODJIIDO\Administrator"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [014acb]
> <passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [5e7fd0]
> <passwd="radiodjiido\administrator"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [8a3148]
> <passwd="RADIODJIIDO\Administrator"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [9d0247]
> <passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
> failed to bind to LDAP server ldap://serveur.radiodjiido.nc: Local error
> Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
> no available LDAP server found: Local error
> Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [c296bd]
<group/member="www-data">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [c296bd]
<group/member="www-data">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [8e121f]
<group/member="serveur">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [8e121f]
<group/member="serveur">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23]
<group/member="ntp"> no
> available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23]
<group/member="ntp"> no
> available LDAP server found: Server is unavailable
> Oct 26 11:11:36 serveur nslcd[2978]: [1e3f1e]
> <passwd="radiodjiido\serveur-7-pc$"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:11:36 serveur nslcd[2978]: [c79ea8]
> <passwd="RADIODJIIDO\SERVEUR-7-PC$"> no available LDAP
server found:
> Server is unavailable
>
Am assuming that DNS is working as per te samba4 howto at:
http://wiki.samba.org/index.php/Samba4/HOWTO#Testing_DNS
Have you configured pam for kerberos?
That should get us started.
Cheers,
Steve
> getent passwd
> ->
> only lists Linux users
>
> Could someone, please assist ? I'm really lost ...
> Thanks in advance for your time.
> Nicolas