On Wed, 23 Nov 2011, Josh Geisser wrote:
Hi list
I'm sure I have gabs of understanding of how to use SSSD without using plain binding-user credentials in the configfile. I followed the guide for Win2008 allthough I only have 2003 SFU - would that work?
AFAIK, yes. I've certainly contributed that with 2003 in mind.
- I see it right that GSSAPI should enable looking up stuff in the LDAP
using a machine-account instead of the binding-user/passwd?
Yes. I think that's the best way to do it.
- Kerberos (which has the machine-auth-ticket) comes into play for LDAP, but
this exceeds the basic LDAP authentication (eg. Auth via Kerberos on the LDAP server)? Is this enough to feed nsswitch (e.g. getent) or is an additional valid user/pass still required?
I'm not sure I follow. You don't need anything other than the valid keytab.
The trouble I'm having here is the ktpasswd.exe generated-key is always dated at 01/01/70 01:00:00 which I guess is also the reason why ldapsearch -Y GSSAPI and kinit fail? 2003 behaviour?
Personally I'd not use ktpasswd and follow the "Creating Service Keytab with Samba" section. All in I'd say that's much easier when you're dealing with lots of machines, and it doesn't require Domain Administrator rights. You need samba installed (anything >3.0 should work fine with 2003 AFAIK) and a correct smb.conf (and krb5.conf). I /think/ this would be sufficient:
[global]
workgroup = YOURDOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = your.kdc.net realm = YOURFULLKERBEROSDOMAIN security = ads
The krb and ldap configuration works quite fine with bind-dn, just struggeling with SASL/GSSAPI.
Just us know how you get get on,
jh