-----BEGIN PGP SIGNED MESSAGE-----
On 09/02/2015 03:22 PM, l(a)avc.su wrote:
I've got CentOS 6.5 server enrolled in an AD domain. There's
script which should connect to AD and get some info with
ldapsearch. We were using simple bind with username and password,
but I wonder if there is any way to do queries and being
authenticated by GSSAPI without the need of password entering?
Yes, this can be done. "ldapsearch -Y GSSAPI ..." uses Kerberos
tickets instead of passwords.
Maybe, I somehow can use system krb5.keytab and do queries from the
name of the server (host/pc@DOMAIN credentials)?
You can try to use "kinit -k host/pc@DOMAIN" to create a ticket cache
from your krb5.keytab. This will only succeed if your machine's AD
account has its userPrincipalName attribute set to "host/pc@DOMAIN".
Otherwise you can use "kinit -k pc$@DOMAIN" or "kinit -k PC$@DOMAIN".
("pc$" is the value of your machine's sAMAccountName attribute.)
However, this requires your keytab to contain an entry for "pc@DOMAIN"
I recommend to use msktutil
) to create the keytab:
"msktutil --create" will create a keytab that contains the
Or I should create separate keytab and specify it in ldapsearch?
But I haven't found this option.
No, that is not necessary. ldapsearch needs a ticket cache, not a
keytab. (The ticket cache could be specified via environment: KRB5CCNAME)
Moreover, I know that kerberos tickets could expire and I should
re-enter pass to obtain new one.
Run the above kinit command on a regular base (i.e. by cron). A better
solution would be to use kstart
) instead of kinit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----