thr3ads.net - samba - [Samba] lost with AD auth [Oct 2013]

If this information is useful, please help other people find it:
Share via:

me at electronico.nc

2013-Oct-26 01:08 UTC

[Samba] lost with AD auth

Hi all,

Well, I'm completely lost with AD authentification ...

server is :
Ubuntu 12.04.3 3.8.0-32-generic #47~precise1-Ubuntu
Samba 4.0.10 installed (and upgraded) via git, setup as unique Active 
Directory Domain Controller
( -> how to upgrade to 4.1 via git ?? )

I 'just' would like that the local services (let's say only dovecot
and
postfix) can query AD to authentifiate users.

All services are running on the Ubuntu server (samba AD/DC), no other 
linux box for now.

1 Windows VM has been setup on server to make AD tasks using 
Administrator account.

Trying to use nslcd + kerberos :

created a user in AD:
samba-tool user add ldap My_secret_password
samba-tool user setexpiry ldap --noexpiry

created spn and exported keytab:
samba-tool spn add nslcd/serveur.radiodjiido.nc ldap
samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap
chown nslcd:root /etc/krb5.nslcd.keytab
chmod 600 /etc/krb5.nslcd.keytab

configured nslcd:
grep ^[^#] /etc/nslcd.conf
->
uid nslcd
gid nslcd
uri ldap://serveur.radiodjiido.nc
base DC=radiodjiido,DC=nc
map    passwd    uid    samAccountName
map    passwd    homeDirectory    unixHomeDirectory
map     passwd    gecos    displayName
map     passwd    gidNumber    primaryGroupID
sasl_mech GSSAPI
sasl_realm RADIODJIIDO.NC
krb5_ccname /tmp/nslcd.tkt

checking that k5start is well running:
ps ax | grep k5
->
2956 pts/1    T      0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o 
nslcd -K 540 -k /tmp/nslcd.tkt

klist
->
Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
Default principal: serveur at RADIODJIIDO.NC
Valid starting       Expires              Service principal
26/10/2013 10:11:34  26/10/2013 20:11:34 
krbtgt/RADIODJIIDO.NC at RADIODJIIDO.NC
     renew until 27/10/2013 10:11:34

grep ^[^#] /etc/krb5.conf
->
[libdefaults]
     default_realm = RADIODJIIDO.NC
     krb4_config = /etc/krb.conf
     krb4_realms = /etc/krb.realms
     kdc_timesync = 1
     ccache_type = 4
     forwardable = true
     proxiable = true
     v4_instance_resolve = false
     v4_name_convert = {
         host = {
             rcmd = host
             ftp = ftp
         }
         plain = {
             something = something-else
         }
     }
     fcc-mit-ticketflags = true
[realms]
     RADIODJIIDO.NC = {
         kdc = serveur
         admin_server = serveur
     }
[domain_realm]
     .radiodjiido.nc = RADIODJIIDO.NC
     radiodjiido.nc = RADIODJIIDO.NC
[login]
     krb4_convert = true
     krb4_get_tickets = false

syslog shows :
->
Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca] 
<passwd="radiodjiido\administrator"> failed to bind to LDAP
server
ldap://serveur.radiodjiido.nc: Local error
Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca] 
<passwd="radiodjiido\administrator"> no available LDAP server
found:
Local error
Oct 26 11:09:36 serveur nslcd[2978]: [90700b] 
<passwd="RADIODJIIDO\Administrator"> no available LDAP server
found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [014acb] 
<passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server
found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [5e7fd0] 
<passwd="radiodjiido\administrator"> no available LDAP server
found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [8a3148] 
<passwd="RADIODJIIDO\Administrator"> no available LDAP server
found:
Server is unavailable
Oct 26 11:09:36 serveur nslcd[2978]: [9d0247] 
<passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP server
found:
Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
failed to bind to LDAP server ldap://serveur.radiodjiido.nc: Local error
Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
no available LDAP server found: Local error
Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [c296bd]
<group/member="www-data">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [c296bd]
<group/member="www-data">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [8e121f]
<group/member="serveur">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [8e121f]
<group/member="serveur">
no available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23]
<group/member="ntp"> no
available LDAP server found: Server is unavailable
Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23]
<group/member="ntp"> no
available LDAP server found: Server is unavailable
Oct 26 11:11:36 serveur nslcd[2978]: [1e3f1e] 
<passwd="radiodjiido\serveur-7-pc$"> no available LDAP server
found:
Server is unavailable
Oct 26 11:11:36 serveur nslcd[2978]: [c79ea8] 
<passwd="RADIODJIIDO\SERVEUR-7-PC$"> no available LDAP server
found:
Server is unavailable

getent passwd
->
only lists Linux users

Could someone, please assist ? I'm really lost ...
Thanks in advance for your time.
Nicolas

steve

2013-Oct-26 07:24 UTC

head link

[Samba] lost with AD auth

On Sat, 2013-10-26 at 12:08 +1100, me at electronico.nc
wrote:> Hi all,
> 
> Well, I'm completely lost with AD authentification ...
> 
> server is :
> Ubuntu 12.04.3 3.8.0-32-generic #47~precise1-Ubuntu
> Samba 4.0.10 installed (and upgraded) via git, setup as unique Active 
> Directory Domain Controller
> ( -> how to upgrade to 4.1 via git ?? )
> 
> I 'just' would like that the local services (let's say only
dovecot and
> postfix) can query AD to authentifiate users.
> 
> All services are running on the Ubuntu server (samba AD/DC), no other 
> linux box for now.
> 
> 1 Windows VM has been setup on server to make AD tasks using 
> Administrator account.
> 
> Trying to use nslcd + kerberos :Who are the users you wish to authenticate? According to the following,
they are domain users who have their rfc2307 attributes stored in AD. Is
this the case?
> 
> created a user in AD:
> samba-tool user add ldap My_secret_password
> samba-tool user setexpiry ldap --noexpiry
> 
> created spn and exported keytab:
> samba-tool spn add nslcd/serveur.radiodjiido.nc ldap
Remove this sp. nslcd is not a service.
> samba-tool domain exportkeytab /etc/krb5.nslcd.keytab --principal=ldap
> chown nslcd:root /etc/krb5.nslcd.keytab
> chmod 600 /etc/krb5.nslcd.keytab
> 
> configured nslcd:
> grep ^[^#] /etc/nslcd.conf
> ->
> uid nslcd
> gid nslcd
> uri ldap://serveur.radiodjiido.nc
> base DC=radiodjiido,DC=nc
> map    passwd    uid    samAccountName
> map    passwd    homeDirectory    unixHomeDirectory
> map     passwd    gecos    displayName
> map     passwd    gidNumber    primaryGroupID
> sasl_mech GSSAPI
> sasl_realm RADIODJIIDO.NC
> krb5_ccname /tmp/nslcd.tkt
> 
> checking that k5start is well running:
> ps ax | grep k5
> ->
> 2956 pts/1    T      0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o 
> nslcd -K 540 -k /tmp/nslcd.tkt
> 
> klist
> ->
> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700
> Default principal: serveur at RADIODJIIDO.NC
> Valid starting       Expires              Service principal
> 26/10/2013 10:11:34  26/10/2013 20:11:34 
> krbtgt/RADIODJIIDO.NC at RADIODJIIDO.NC
>      renew until 27/10/2013 10:11:34
> 
> grep ^[^#] /etc/krb5.conf
> ->
Does /tmp/nslcd.tkt exist after you start nslcd?

Please use the krb5.conf file that was produced by the samba4 provision.
It can be found in /usr/local/samba/private/krb5.conf
> [libdefaults]
>      default_realm = RADIODJIIDO.NC
>      krb4_config = /etc/krb.conf
>      krb4_realms = /etc/krb.realms
>      kdc_timesync = 1
>      ccache_type = 4
>      forwardable = true
>      proxiable = true
>      v4_instance_resolve = false
>      v4_name_convert = {
>          host = {
>              rcmd = host
>              ftp = ftp
>          }
>          plain = {
>              something = something-else
>          }
>      }
>      fcc-mit-ticketflags = true
> [realms]
>      RADIODJIIDO.NC = {
>          kdc = serveur
>          admin_server = serveur
>      }
> [domain_realm]
>      .radiodjiido.nc = RADIODJIIDO.NC
>      radiodjiido.nc = RADIODJIIDO.NC
> [login]
>      krb4_convert = true
>      krb4_get_tickets = false
> 
> syslog shows :
> ->
> Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca] 
> <passwd="radiodjiido\administrator"> failed to bind to LDAP
server
> ldap://serveur.radiodjiido.nc: Local error
> Oct 26 11:09:36 serveur nslcd[2978]: [0f8fca] 
> <passwd="radiodjiido\administrator"> no available LDAP
server found:
> Local error
> Oct 26 11:09:36 serveur nslcd[2978]: [90700b] 
> <passwd="RADIODJIIDO\Administrator"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [014acb] 
> <passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [5e7fd0] 
> <passwd="radiodjiido\administrator"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [8a3148] 
> <passwd="RADIODJIIDO\Administrator"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:09:36 serveur nslcd[2978]: [9d0247] 
> <passwd="RADIODJIIDO\ADMINISTRATOR"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
> failed to bind to LDAP server ldap://serveur.radiodjiido.nc: Local error
> Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
> no available LDAP server found: Local error
> Oct 26 11:11:32 serveur nslcd[2978]: [b94764]
<group/member="www-data">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [c296bd]
<group/member="www-data">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [c296bd]
<group/member="www-data">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [8e121f]
<group/member="serveur">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [8e121f]
<group/member="serveur">
> no available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23]
<group/member="ntp"> no
> available LDAP server found: Server is unavailable
> Oct 26 11:11:32 serveur nslcd[2978]: [ba5d23]
<group/member="ntp"> no
> available LDAP server found: Server is unavailable
> Oct 26 11:11:36 serveur nslcd[2978]: [1e3f1e] 
> <passwd="radiodjiido\serveur-7-pc$"> no available LDAP
server found:
> Server is unavailable
> Oct 26 11:11:36 serveur nslcd[2978]: [c79ea8] 
> <passwd="RADIODJIIDO\SERVEUR-7-PC$"> no available LDAP
server found:
> Server is unavailable
> Am assuming that DNS is working as per te samba4 howto at:
http://wiki.samba.org/index.php/Samba4/HOWTO#Testing_DNS

Have you configured pam for kerberos?

That should get us started.
Cheers,
Steve
> getent passwd
> ->
> only lists Linux users
> 
> Could someone, please assist ? I'm really lost ...
> Thanks in advance for your time.
> Nicolas

Marc Muehlfeld

2013-Oct-26 09:07 UTC

head link

[Samba] lost with AD auth

Hello Nicolas,

Am 26.10.2013 03:08, schrieb me at electronico.nc:> Trying to use nslcd + kerberos :

Have you checked
http://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

I described there nslcd with and withouth Kerberos.



Regards,
Marc

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Oct 2013 - lost with AD auth

[Samba] lost with AD auth

[Samba] lost with AD auth

[Samba] lost with AD auth

Seemingly Similar Threads