Re: libnss-ldap authenticate with host keytab?

On Tuesday 21 March 2006 05:48, Raphaël RIGNIER wrote:
> Joel Johnson a écrit :
> >I'm working on finalizing our setup here, but have this one remaining
> > issue. I can't seem to get libnss-ldap to bind using the krb5.keytab
> > entry for the host principal. Am I approaching this from the wrong
> > direction, or am I just missing a simple switch?
> >
> >Anonymous bind is disabled (2003 Server AD), and I would *strongly* like
> > to avoid having a readable dn/password in libnss-ldap.conf and thought
> > that using the existing host/hosts.fqdn.com principal would be best,
> > either via Kerberos directly, or more likely SASL.
> >
> Here What I suggest you to do :
>
> 1) Use Samba to create a machine account for the host in AD's KDC.
>
> a) use the samba 3 howto to setup smb.conf and krb5.conf correctly
> http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/domain-memb
>er.html#ads-member
>
> b) Just before "Create the Computer Account" step, add this line in
> smb.conf general config :
> "use kerberos keytab = yes"
>
> c) you can then launch the "net ads join" command.
>
> Advantage : the krb5.keytab is automatically filled with full of entries
> compatible with Active Directory.
>
> You can do this manually by using Windows Resource Kit to create the
> entries in KDC and then export the credentials to the host but it's more
> difficult.

How many service principals does this create in the keytab? I've been using 
netjoin (http://netjoin.sf.net) to add the computer account to the domain, 
and would like to avoid any samba dependency, but if there are things that 
samba does in addition, that would be insightful.

> 2) use crontab to have a permanent ticket between AD and your host by
> using one of the krb5.keytab's credential with the "kinit -k" command.

What would this crontab be, should I specify a cache such as "kinit -k 
-c /etc/libnssldap.krbc" to then use as the sasl method?

> 3) You can then edit ldap.conf to use sasl.

This is actually the point that is tripping me up the most. What is the 
identifier that should be used with the sasl_authid configuration directive? 
I've tried host/host.domain to use the default domain as well as appending 
the realm explicitly. Is there another method to enable SASL? That is all I 
was able to find documented in the code and nss_ldap.5

Thanks again,
Joel Johnson