samba - Jan 2023 - samba + nslcd

Hello,

we have a Linux machine that need the UID's / GID's from samba AD.
So we setup nslcd like https://wiki.samba.org/index.php/Nslcd

nslcd is run in debug mode and the error is as follow:

nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_initialize(ldap://dc1.samdom.example.com/)
nslcd: [8b4567] <passwd="testuser"> DEBUG:
ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="testuser"> DEBUG:
ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="testuser"> DEBUG: 
ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
(uri="ldap://dc1.samdom.example.com/")
nslcd: [8b4567] <passwd="testuser"> DEBUG: do_sasl_interact():
were
asked for sasl_authzid but we don't have any
nslcd: [8b4567] <passwd="testuser"> failed to bind to LDAP
server
ldap://dc1.samdom.example.com/: Local error: SASL(-1): generic failure: 
GSSAPI Error:  Miscellaneous failure (see text) (get-principal 
lstat(/tmp/nslcd.tkt)): No such file or directory
nslcd: [8b4567] <passwd="testuser"> DEBUG: ldap_unbind()
nslcd: [8b4567] <passwd="testuser"> no available LDAP server
found,
sleeping 1 seconds

The linux machine is not a domain member and should not be one and there 
is no samba stuff installed on this machine.

Do I also need Kerberos here?
Whats missing here?

On 23/01/2023 12:46, basti via samba wrote:
> Hello,
> 
> we have a Linux machine that need the UID's / GID's from samba AD.
> So we setup nslcd like https://wiki.samba.org/index.php/Nslcd
> 
> nslcd is run in debug mode and the error is as follow:
> 
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_initialize(ldap://dc1.samdom.example.com/)
> nslcd: [8b4567] <passwd="testuser"> DEBUG:
ldap_set_rebind_proc()
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [8b4567] <passwd="testuser"> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://dc1.samdom.example.com/")
> nslcd: [8b4567] <passwd="testuser"> DEBUG:
do_sasl_interact(): were
> asked for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd="testuser"> failed to bind to LDAP
server
> ldap://dc1.samdom.example.com/: Local error: SASL(-1): generic failure: 
> GSSAPI Error:? Miscellaneous failure (see text) (get-principal 
> lstat(/tmp/nslcd.tkt)): No such file or directory
> nslcd: [8b4567] <passwd="testuser"> DEBUG: ldap_unbind()
> nslcd: [8b4567] <passwd="testuser"> no available LDAP
server found,
> sleeping 1 seconds
> 
> The linux machine is not a domain member and should not be one 
Why not ?

and there
> is no samba stuff installed on this machine.
> 
> Do I also need Kerberos here?
Yes, 'GSSAPI' and ''nslcd.txt' should have told you this.
Which means that you either need Samba or sssd,in which case you 
wouldn't need nslcd.

It has been sometime since I set up nslcd, but I seem to remember that 
you could use a username and password, but that will mean storing them 
on a non domain joined computer.

Rowland