Thanks for the answer will check soon.
Joining the machine actually works as far as I understand: it creates the computer object
in LDAP and is visible in the AD management utility.
But it doesn't write any local /etc/krb5.keytab, which I assume SSSD or the krb5-tools
will use, not?
Want to try your additional smb.conf parameters and I'll come back to you
Thanks a lot so far
Cheers
Josh
-----Ursprüngliche Nachricht-----
Von: sssd-devel-bounces(a)lists.fedorahosted.org
[mailto:sssd-devel-bounces@lists.fedorahosted.org] Im Auftrag von John Hodrien
Gesendet: Mittwoch, 23. November 2011 22:30
An: Development of the System Security Services Daemon
Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question
On Wed, 23 Nov 2011, Josh Geisser wrote:
Hi list
I'm sure I have gabs of understanding of how to use SSSD without using plain
binding-user credentials in the configfile. I followed the guide for Win2008
allthough I only have 2003 SFU - would that work?
AFAIK, yes. I've certainly contributed that with 2003 in mind.
- I see it right that GSSAPI should enable looking up stuff in the
LDAP
using a machine-account instead of the binding-user/passwd?
Yes. I think that's the best way to do it.
- Kerberos (which has the machine-auth-ticket) comes into play for
LDAP, but
this exceeds the basic LDAP authentication (eg. Auth via Kerberos on the
LDAP server)? Is this enough to feed nsswitch (e.g. getent) or is an
additional valid user/pass still required?
I'm not sure I follow. You don't need anything other than the valid keytab.
The trouble I'm having here is the ktpasswd.exe generated-key is
always
dated at 01/01/70 01:00:00 which I guess is also the reason why ldapsearch
-Y GSSAPI and kinit fail? 2003 behaviour?
Personally I'd not use ktpasswd and follow the "Creating Service Keytab with
Samba" section. All in I'd say that's much easier when you're dealing
with
lots of machines, and it doesn't require Domain Administrator rights. You need
samba installed (anything >3.0 should work fine with 2003 AFAIK) and a correct
smb.conf (and krb5.conf). I /think/ this would be sufficient:
[global]
workgroup = YOURDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server =
your.kdc.net
realm = YOURFULLKERBEROSDOMAIN
security = ads
The krb and ldap configuration works quite fine with bind-dn, just
struggeling with SASL/GSSAPI.
Just us know how you get get on,
jh
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
----
ASG at hnet