search

karlmdavis / justdavis-ansible

The Ansible playbooks, roles, etc. used by the Davis family (justdavis.com) systems.
0 stars 0 forks source link

Can't run 'nss_updatedb ldap' due to auth requirements #6

Open karlmdavis opened 6 years ago

karlmdavis commented 6 years ago

The LDAP server is configured to require authentication. I've gone back and forth on this, but I think it's probably for the best. However, that means that ldapsearch, nss_updatedb ldap, etc. won't work without a Kerberos ticket:

$ sudo /usr/sbin/nss_updatedb ldap
Failed to enumerate nameservice: Connection reset by peer
passwd... nameservice unavailable.
$ ldapsearch
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

The right way to fix this is:

  1. Create a Kerberos principal that Ansible can use when not running against eddings, e.g. ansible.
  2. Use that principal to create a host keytab via kadmin on all workstations.
    • Probably not strictly necessary, but still a good idea.
  3. Use that principal to create an nss_updatedb service keytab on all workstations.
  4. Fix my cron job and other nss_updatedb usage to use that service keytab.
karlmdavis commented 6 years ago

For now, I've added a partial workaround for this that grabs the test user's ticket when running nss_updatedb as part of my Ansible plays. The cron job is still 100% broken, though.

Conzar commented 5 years ago

@karlmdavis what was the work-a-round?