-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 09/02/2015 03:22 PM, l@avc.su wrote:
I've got CentOS 6.5 server enrolled in an AD domain. There's a script which should connect to AD and get some info with ldapsearch. We were using simple bind with username and password, but I wonder if there is any way to do queries and being authenticated by GSSAPI without the need of password entering?
Yes, this can be done. "ldapsearch -Y GSSAPI ..." uses Kerberos tickets instead of passwords.
Maybe, I somehow can use system krb5.keytab and do queries from the name of the server (host/pc@DOMAIN credentials)?
You can try to use "kinit -k host/pc@DOMAIN" to create a ticket cache from your krb5.keytab. This will only succeed if your machine's AD account has its userPrincipalName attribute set to "host/pc@DOMAIN". Otherwise you can use "kinit -k pc$@DOMAIN" or "kinit -k PC$@DOMAIN". ("pc$" is the value of your machine's sAMAccountName attribute.) However, this requires your keytab to contain an entry for "pc@DOMAIN" or "PC@DOMAIN".
I recommend to use msktutil (http://sourceforge.net/projects/msktutil/) to create the keytab: "msktutil --create" will create a keytab that contains the "pc$@DOMAIN" principal...
Or I should create separate keytab and specify it in ldapsearch? But I haven't found this option.
No, that is not necessary. ldapsearch needs a ticket cache, not a keytab. (The ticket cache could be specified via environment: KRB5CCNAME)
Moreover, I know that kerberos tickets could expire and I should re-enter pass to obtain new one.
Run the above kinit command on a regular base (i.e. by cron). A better solution would be to use kstart (http://www.eyrie.org/~eagle/software/kstart) instead of kinit.
- -- Mark Pröhl