On Wed, 23 Nov 2011, Josh Geisser wrote:
Hi list
I'm sure I have gabs of understanding of how to use SSSD without using plain
binding-user credentials in the configfile. I followed the guide for Win2008
allthough I only have 2003 SFU - would that work?
AFAIK, yes. I've certainly contributed that with 2003 in mind.
- I see it right that GSSAPI should enable looking up stuff in the
LDAP
using a machine-account instead of the binding-user/passwd?
Yes. I think that's the best way to do it.
- Kerberos (which has the machine-auth-ticket) comes into play for
LDAP, but
this exceeds the basic LDAP authentication (eg. Auth via Kerberos on the
LDAP server)? Is this enough to feed nsswitch (e.g. getent) or is an
additional valid user/pass still required?
I'm not sure I follow. You don't need anything other than the valid keytab.
The trouble I'm having here is the ktpasswd.exe generated-key is
always
dated at 01/01/70 01:00:00 which I guess is also the reason why ldapsearch
-Y GSSAPI and kinit fail? 2003 behaviour?
Personally I'd not use ktpasswd and follow the "Creating Service Keytab with
Samba" section. All in I'd say that's much easier when you're dealing
with
lots of machines, and it doesn't require Domain Administrator rights. You need
samba installed (anything >3.0 should work fine with 2003 AFAIK) and a correct
smb.conf (and krb5.conf). I /think/ this would be sufficient:
[global]
workgroup = YOURDOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server =
your.kdc.net
realm = YOURFULLKERBEROSDOMAIN
security = ads
The krb and ldap configuration works quite fine with bind-dn, just
struggeling with SASL/GSSAPI.
Just us know how you get get on,
jh