[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
steve
steve at steve-ss.com
Thu Dec 19 10:16:00 MST 2013
On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
> Le 19/12/2013 17:53, Rowland Penny a écrit :
> > On 19/12/13 16:46, Cyril wrote:
> >> Le 19/12/2013 17:42, Rowland Penny a écrit :
> >>> On 19/12/13 16:22, steve wrote:
> >>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
> >>>>> On 19/12/13 15:53, Cyril wrote:
> >>>>>> Le 19/12/2013 16:05, steve a écrit :
> >>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
> >>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
> >>>>>>>>> Hello,
> >>>>>>>>>
> >>>>>>>>> I think I'm starting to understand how Linux client can be
> >>>>>>>>> integrated
> >>>>>>>>> into a samba domain.
> >>>>>>>>>
> >>>>>>>>> Tell me if I'm wrong :
> >>>>>>>>>
> >>>>>>>>> Linux clients don't need Samba for authentication, only the ldap
> >>>>>>>>> part of
> >>>>>>>>> samba.
> >>>>>>>>> sssd through kerberos get information from ldap. If the user is
> >>>>>>>>> known or
> >>>>>>>>> get the right, he can log.
> >>>>>>>>>
> >>>>>>>>> So why should I need to install winbind and samba4 on the linux
> >>>>>>>>> client ?
> >>>>>>>>> Is it only if I have a Windows AD ?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Thanks
> >>>>>>>>> Cyril
> >>>>>>>>>
> >>>>>>>> I can't get sssd working and I don't know why.
> >>>>>>> Hi
> >>>>>>> Please post the censored content of:
> >>>>>>> /etc/sssd/sssd.conf
> >>>>>>> and the passwd and group greps of:
> >>>>>>> /etc/nsswitch.conf
> >>>>>>> and, for later:
> >>>>>>> /etc/pam.d/common-auth
> >>>>>>> Steve
> >>>>>>>
> >>>>>>>
> >>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
> >>>>>>
> >>>>>> /etc/sssd/sssd.conf :
> >>>>>>
> >>>>>> [sssd]
> >>>>>> services = nss, pam
> >>>>>> config_file_version = 2
> >>>>>> domains = default
> >>>>>>
> >>>>>> [nss]
> >>>>>>
> >>>>>> [pam]
> >>>>>>
> >>>>>> [domain/default]
> >>>>>> ad_hostname = myserver.sub-domain.domain.fr
> >>>>>> ad_server = myserver.sub-domain.domain.fr
> >>>>>> ad_domain = sub-domain.domain.fr
> >>>>>>
> >>>>>> ldap_schema = ad
> >>>>>> id_provider = ad
> >>>>>> access_provider = simple
> >>>>>>
> >>>>>> # on large directories, you may want to disable enumeration for
> >>>>>> performance reasons
> >>>>>> enumerate = true
> >>>>>>
> >>>>>> auth_provider = krb5
> >>>>>> chpass_provider = krb5
> >>>>>> ldap_sasl_mech = gssapi
> >>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
> >>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
> >>>>>> krb5_server = myserver.sub-domain.domain.fr
> >>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
> >>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> >>>>>> ldap_krb5_init_creds = true
> >>>>>>
> >>>>>> ldap_referrals = false
> >>>>>> ldap_uri = ldap://myserverIPadress
> >>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
> >>>>>>
> >>>>>> dyndns_update=false
> >>>>>>
> >>>>>> /etc/nsswitch.conf
> >>>>>>
> >>>>>> passwd: compat sss
> >>>>>> group: compat sss
> >>>>>> shadow: compat
> >>>>>>
> >>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
> >>>>>> networks: files
> >>>>>>
> >>>>>> protocols: db files
> >>>>>> services: db files
> >>>>>> ethers: db files
> >>>>>> rpc: db files
> >>>>>>
> >>>>>> netgroup: nis
> >>>>>> sudoers: files sss
> >>>>>>
> >>>>>> /etc/pam.d/common-auth
> >>>>>>
> >>>>>>
> >>>>>> # here are the per-package modules (the "Primary" block)
> >>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
> >>>>>> # here's the fallback if no module succeeds
> >>>>>> auth requisite pam_deny.so
> >>>>>> # prime the stack with a positive return value if there isn't one
> >>>>>> already;
> >>>>>> # this avoids us returning an error just because nothing sets a
> >>>>>> success code
> >>>>>> # since the modules above will each just jump around
> >>>>>> auth required pam_permit.so
> >>>>>> # and here are more per-package modules (the "Additional" block)
> >>>>>> auth optional pam_cap.so
> >>>>>> # end of pam-auth-update config
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Cyril
> >>>>>>
> >>>>> As Steve says, might as well start with a new sssd.conf, here is a
> >>>>> working (sanitized) version from the laptop I am typing on ;-)
> >>>>>
> >>>>> [sssd]
> >>>>> config_file_version = 2
> >>>>> domains = default
> >>>>> services = nss, pam
> >>>>>
> >>>>> [nss]
> >>>>>
> >>>>> [pam]
> >>>>>
> >>>>> [domain/default]
> >>>>> description = AD domain with Samba 4 server
> >>>>> cache_credentials = true
> >>>>> enumerate = true
> >>>>> id_provider = ldap
> >>>>> auth_provider = krb5
> >>>>> chpass_provider = krb5
> >>>>> access_provider = ldap
> >>>>> autofs_provider = ldap
> >>>>> sudo_provider = ldap
> >>>>>
> >>>>> krb5_server = your.Samba4server.FQDN
> >>>>> krb5_kpasswd = your.Samba4server.FQDN
> >>>>> krb5_realm = UPPERCASE.REALM
> >>>>>
> >>>>> ldap_referrals = false
> >>>>> ldap_schema = rfc2307bis
> >>>>> ldap_access_order = expire
> >>>>> ldap_account_expire_policy = ad
> >>>>> ldap_force_upper_case_realm = true
> >>>>>
> >>>>> ldap_user_object_class = user
> >>>>> ldap_user_name = sAMAccountName
> >>>>> ldap_user_home_directory = unixHomeDirectory
> >>>>> ldap_user_principal = userPrincipalName
> >>>>>
> >>>>> ldap_group_object_class = group
> >>>>> ldap_group_name = sAMAccountName
> >>>>>
> >>>>> ldap_sasl_mech = GSSAPI
> >>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
> >>>>> ldap_krb5_init_creds = true
> >>>>>
> >>>>> Rowland
> >>>> @Rowland
> >>>> Is the OP on sssd <= 1.9.x ?
> >>>> Steve
> >>>>
> >>>>
> >>>>
> >>> He posted earlier that he was using Ubuntu 12.04, so I suggested
> >>> that he
> >>> used the sssd ppa. I believe that he is now using this ppa and if
> >>> so, he
> >>> should be using 1.11.1
> >>>
> >>> Rowland
> >>>
> >> Yes that's what I did.
> >>
> >> But I think Steve would like to know the version on the laptop you're
> >> curently using.
> >>
> > Thanks for confirming that, but you are the 'OP' he referred to, OP =
> > original poster
> >
> > Rowland
>
> :-)
>
> Cyril
OK. Glad we've got that one sorted.
Just for completeness, here's a working 1.11.1 sssd.conf with all the ad
and autofs bits:
[sssd]
#debug_level = 9
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[autofs]
[domain/default]
#debug_level = 9
dyndns_update=true
#dyndns_refresh_interval = 8
ad_hostname = catral.hh3.site
ad_server = hh16.hh3.site
ad_domain = hh3.site
ldap_schema = ad
id_provider = ad
access_provider = ad
enumerate = false
cache_credentials = true
#entry_cache_timeout = 60
auth_provider = ad
chpass_provider = ad
krb5_realm = hh3.site
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_id_mapping=false
ldap_referrals = false
ldap_uri = ldap://hh16.hh3.site
ldap_search_base = dc=hh3,dc=site
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=hh3,dc=site
ldap_group_name = cn
ldap_group_member = member
ldap_sasl_mech = gssapi
ldap_sasl_authid = CATRAL$@HH3.SITE
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
autofs_provider=ldap
#ldap_autofs_search_base =
CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
#ldap_autofs_map_object_class = nisMap
#ldap_autofs_entry_object_class = nisObject
#ldap_autofs_map_name = nisMapName
#ldap_autofs_entry_key = cn
#ldap_autofs_entry_value = nisMapEntry
ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
ldap_autofs_map_object_class = automountMap
ldap_autofs_entry_object_class = automount
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation
Please note that we must canonicalise IP's. We must use a DNS resolvable
name, NOT a series of mumbers. I think.
HTH
Steve
More information about the samba
mailing list