[lsc-users] GSSAPI auth

Francesco Malvezzi francesco.malvezzi at unimore.it
Tue Dec 10 14:43:17 CET 2013

Hi all,

I tested GSSAPI auth with a samba-4.1.2 active directory server.

There are a few file to edit:
1) create a ./etc/gsseg_jaas.conf with the following:

 * Login Configuration for JAAS.
org.lsc.jndi.JndiServices {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

2) soft-link your krb5.conf to ./etc/krb5.ini (ln -s /etc/krb5.conf

3) edit ./bin/lsc:
insert the line:
JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"
before the line in which lsc is launched, for instance:

JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"


4) modify lsc.xml <ldapConnection>:

      <username>adminlsc at EXAMPLE.ORG</username>
please note the username is in kerberos style. It is not a dn. Please
remember to type realm UPPERCASE.

5) either kinit adminlsc at EXAMPLE.ORG or load principal from keytab

6) run command as usual.

Strangely lsc works with GSSAPI/LDAPS, while ldapsearch does not. If I run

ldapsearch -Y GSSAPI -H ldaps://pdc.example.org:636 -b
dc=ad,dc=example,dc=org 'cn=jsmith'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
	additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used

But I don't face this issue with lsc. Good.



More information about the lsc-users mailing list