Hi all.
I've got CentOS 6.5 server enrolled in an AD domain. There's a script which should connect to AD and get some info with ldapsearch. We were using simple bind with username and password, but I wonder if there is any way to do queries and being authenticated by GSSAPI without the need of password entering? Maybe, I somehow can use system krb5.keytab and do queries from the name of the server (host/pc@DOMAIN credentials)? Or I should create separate keytab and specify it in ldapsearch? But I haven't found this option. Moreover, I know that kerberos tickets could expire and I should re-enter pass to obtain new one.
How can I do that?
Thank you in advance.
On 09/02/15 16:22 +0300, l@avc.su wrote:
Hi all.
I've got CentOS 6.5 server enrolled in an AD domain.
Does that mean you're using Samba, or something else?
There's a script which should connect to AD and get some info with ldapsearch.
We were using simple bind with username and password, but I wonder if there is any way to do queries and being authenticated by GSSAPI without the need of password entering?
Yes, it should work fine.
Maybe, I somehow can use system krb5.keytab and do queries from the name of the server (host/pc@DOMAIN credentials)?
You'll need to export a keytab file from Active Directory. See:
https://cwiki.apache.org/confluence/display/DIRxINTEROP/Exporting+Keytabs+fr...
Or I should create separate keytab and specify it in ldapsearch? But I haven't found this option. Moreover, I know that kerberos tickets could expire and I should re-enter pass to obtain new one.
ldapsearch will not initialize your credentials cache. You're responsible for kinit to initialize it, such as from your crontab.
Using a keytab would obviate the need for sticking a password in your crontab of course. The underlying kerberos libraries will request necessary service tickets as needed.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 09/02/2015 03:22 PM, l@avc.su wrote:
I've got CentOS 6.5 server enrolled in an AD domain. There's a script which should connect to AD and get some info with ldapsearch. We were using simple bind with username and password, but I wonder if there is any way to do queries and being authenticated by GSSAPI without the need of password entering?
Yes, this can be done. "ldapsearch -Y GSSAPI ..." uses Kerberos tickets instead of passwords.
Maybe, I somehow can use system krb5.keytab and do queries from the name of the server (host/pc@DOMAIN credentials)?
You can try to use "kinit -k host/pc@DOMAIN" to create a ticket cache from your krb5.keytab. This will only succeed if your machine's AD account has its userPrincipalName attribute set to "host/pc@DOMAIN". Otherwise you can use "kinit -k pc$@DOMAIN" or "kinit -k PC$@DOMAIN". ("pc$" is the value of your machine's sAMAccountName attribute.) However, this requires your keytab to contain an entry for "pc@DOMAIN" or "PC@DOMAIN".
I recommend to use msktutil (http://sourceforge.net/projects/msktutil/) to create the keytab: "msktutil --create" will create a keytab that contains the "pc$@DOMAIN" principal...
Or I should create separate keytab and specify it in ldapsearch? But I haven't found this option.
No, that is not necessary. ldapsearch needs a ticket cache, not a keytab. (The ticket cache could be specified via environment: KRB5CCNAME)
Moreover, I know that kerberos tickets could expire and I should re-enter pass to obtain new one.
Run the above kinit command on a regular base (i.e. by cron). A better solution would be to use kstart (http://www.eyrie.org/~eagle/software/kstart) instead of kinit.
- -- Mark Pröhl
openldap-technical@openldap.org
-
Dan White -
l@avc.su -
Mark Pröhl