Re: ldapsearch and kerberos keytab

[Mark Pröhl <mark@mproehl.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/02/2015 03:22 PM, l@avc.su wrote:
> I've got CentOS 6.5 server enrolled in an AD domain. There's a
> script which should connect to AD and get some info with 
> ldapsearch. We were using simple bind with username and password,
> but I wonder if there is any way to do queries and being
> authenticated by GSSAPI without the need of password entering?

Yes, this can be done. "ldapsearch -Y GSSAPI ..." uses Kerberos
tickets instead of passwords.

> Maybe, I somehow can use system krb5.keytab and do queries from the
> name of the server (host/pc@DOMAIN credentials)?

You can try to use "kinit -k host/pc@DOMAIN" to create a ticket cache
from your krb5.keytab. This will only succeed if your machine's AD
account has its userPrincipalName attribute set to "host/pc@DOMAIN".
Otherwise you can use "kinit -k pc$@DOMAIN" or "kinit -k PC$@DOMAIN".
("pc$" is the value of your machine's sAMAccountName attribute.)
However, this requires your keytab to contain an entry for "pc@DOMAIN"
or "PC@DOMAIN".

I recommend to use msktutil
(http://sourceforge.net/projects/msktutil/) to create the keytab:
"msktutil --create" will create a keytab that contains the
"pc$@DOMAIN" principal...

> Or I should create separate keytab and specify it in ldapsearch?
> But I haven't found this option.

No, that is not necessary. ldapsearch needs a ticket cache, not a
keytab. (The ticket cache could be specified via environment: KRB5CCNAME)


> Moreover, I know that kerberos tickets could expire and I should
> re-enter pass to obtain new one.

Run the above kinit command on a regular base (i.e. by cron). A better
solution would be to use kstart
(http://www.eyrie.org/~eagle/software/kstart) instead of kinit.

- --
Mark Pröhl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iF4EAREIAAYFAlXp6wsACgkQcnTijk4OXrJXMwD9Emf2+rKVFGvfxOSOPwLnKZ1K
eLMxLqatmAXx4xDncBMA/2nH5cfraq8lQBlp1ERq/R21nfU+9P43i+sjz6pTk93G
=fMeM
-----END PGP SIGNATURE-----