On 09/02/15 16:22 +0300, l@avc.su wrote:
Hi all.
I've got CentOS 6.5 server enrolled in an AD domain.
Does that mean you're using Samba, or something else?
There's a script which should connect to AD and get some info with ldapsearch.
We were using simple bind with username and password, but I wonder if there is any way to do queries and being authenticated by GSSAPI without the need of password entering?
Yes, it should work fine.
Maybe, I somehow can use system krb5.keytab and do queries from the name of the server (host/pc@DOMAIN credentials)?
You'll need to export a keytab file from Active Directory. See:
https://cwiki.apache.org/confluence/display/DIRxINTEROP/Exporting+Keytabs+fr...
Or I should create separate keytab and specify it in ldapsearch? But I haven't found this option. Moreover, I know that kerberos tickets could expire and I should re-enter pass to obtain new one.
ldapsearch will not initialize your credentials cache. You're responsible for kinit to initialize it, such as from your crontab.
Using a keytab would obviate the need for sticking a password in your crontab of course. The underlying kerberos libraries will request necessary service tickets as needed.