[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
steve
steve at steve-ss.com
Thu Dec 19 11:16:55 MST 2013
On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
> On 19/12/13 18:00, Cyril wrote:
> > Le 19/12/2013 18:16, steve a écrit :
> >> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
> >>> Le 19/12/2013 17:53, Rowland Penny a écrit :
> >>>> On 19/12/13 16:46, Cyril wrote:
> >>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
> >>>>>> On 19/12/13 16:22, steve wrote:
> >>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
> >>>>>>>> On 19/12/13 15:53, Cyril wrote:
> >>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
> >>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
> >>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
> >>>>>>>>>>>> Hello,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I think I'm starting to understand how Linux client can be
> >>>>>>>>>>>> integrated
> >>>>>>>>>>>> into a samba domain.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Tell me if I'm wrong :
> >>>>>>>>>>>>
> >>>>>>>>>>>> Linux clients don't need Samba for authentication, only the
> >>>>>>>>>>>> ldap
> >>>>>>>>>>>> part of
> >>>>>>>>>>>> samba.
> >>>>>>>>>>>> sssd through kerberos get information from ldap. If the
> >>>>>>>>>>>> user is
> >>>>>>>>>>>> known or
> >>>>>>>>>>>> get the right, he can log.
> >>>>>>>>>>>>
> >>>>>>>>>>>> So why should I need to install winbind and samba4 on the
> >>>>>>>>>>>> linux
> >>>>>>>>>>>> client ?
> >>>>>>>>>>>> Is it only if I have a Windows AD ?
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks
> >>>>>>>>>>>> Cyril
> >>>>>>>>>>>>
> >>>>>>>>>>> I can't get sssd working and I don't know why.
> >>>>>>>>>> Hi
> >>>>>>>>>> Please post the censored content of:
> >>>>>>>>>> /etc/sssd/sssd.conf
> >>>>>>>>>> and the passwd and group greps of:
> >>>>>>>>>> /etc/nsswitch.conf
> >>>>>>>>>> and, for later:
> >>>>>>>>>> /etc/pam.d/common-auth
> >>>>>>>>>> Steve
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
> >>>>>>>>>
> >>>>>>>>> /etc/sssd/sssd.conf :
> >>>>>>>>>
> >>>>>>>>> [sssd]
> >>>>>>>>> services = nss, pam
> >>>>>>>>> config_file_version = 2
> >>>>>>>>> domains = default
> >>>>>>>>>
> >>>>>>>>> [nss]
> >>>>>>>>>
> >>>>>>>>> [pam]
> >>>>>>>>>
> >>>>>>>>> [domain/default]
> >>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
> >>>>>>>>> ad_server = myserver.sub-domain.domain.fr
> >>>>>>>>> ad_domain = sub-domain.domain.fr
> >>>>>>>>>
> >>>>>>>>> ldap_schema = ad
> >>>>>>>>> id_provider = ad
> >>>>>>>>> access_provider = simple
> >>>>>>>>>
> >>>>>>>>> # on large directories, you may want to disable enumeration for
> >>>>>>>>> performance reasons
> >>>>>>>>> enumerate = true
> >>>>>>>>>
> >>>>>>>>> auth_provider = krb5
> >>>>>>>>> chpass_provider = krb5
> >>>>>>>>> ldap_sasl_mech = gssapi
> >>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
> >>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
> >>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
> >>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
> >>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> >>>>>>>>> ldap_krb5_init_creds = true
> >>>>>>>>>
> >>>>>>>>> ldap_referrals = false
> >>>>>>>>> ldap_uri = ldap://myserverIPadress
> >>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
> >>>>>>>>>
> >>>>>>>>> dyndns_update=false
> >>>>>>>>>
> >>>>>>>>> /etc/nsswitch.conf
> >>>>>>>>>
> >>>>>>>>> passwd: compat sss
> >>>>>>>>> group: compat sss
> >>>>>>>>> shadow: compat
> >>>>>>>>>
> >>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
> >>>>>>>>> networks: files
> >>>>>>>>>
> >>>>>>>>> protocols: db files
> >>>>>>>>> services: db files
> >>>>>>>>> ethers: db files
> >>>>>>>>> rpc: db files
> >>>>>>>>>
> >>>>>>>>> netgroup: nis
> >>>>>>>>> sudoers: files sss
> >>>>>>>>>
> >>>>>>>>> /etc/pam.d/common-auth
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> # here are the per-package modules (the "Primary" block)
> >>>>>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
> >>>>>>>>> # here's the fallback if no module succeeds
> >>>>>>>>> auth requisite pam_deny.so
> >>>>>>>>> # prime the stack with a positive return value if there isn't one
> >>>>>>>>> already;
> >>>>>>>>> # this avoids us returning an error just because nothing sets a
> >>>>>>>>> success code
> >>>>>>>>> # since the modules above will each just jump around
> >>>>>>>>> auth required pam_permit.so
> >>>>>>>>> # and here are more per-package modules (the "Additional" block)
> >>>>>>>>> auth optional pam_cap.so
> >>>>>>>>> # end of pam-auth-update config
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Cyril
> >>>>>>>>>
> >>>>>>>> As Steve says, might as well start with a new sssd.conf, here is a
> >>>>>>>> working (sanitized) version from the laptop I am typing on ;-)
> >>>>>>>>
> >>>>>>>> [sssd]
> >>>>>>>> config_file_version = 2
> >>>>>>>> domains = default
> >>>>>>>> services = nss, pam
> >>>>>>>>
> >>>>>>>> [nss]
> >>>>>>>>
> >>>>>>>> [pam]
> >>>>>>>>
> >>>>>>>> [domain/default]
> >>>>>>>> description = AD domain with Samba 4 server
> >>>>>>>> cache_credentials = true
> >>>>>>>> enumerate = true
> >>>>>>>> id_provider = ldap
> >>>>>>>> auth_provider = krb5
> >>>>>>>> chpass_provider = krb5
> >>>>>>>> access_provider = ldap
> >>>>>>>> autofs_provider = ldap
> >>>>>>>> sudo_provider = ldap
> >>>>>>>>
> >>>>>>>> krb5_server = your.Samba4server.FQDN
> >>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
> >>>>>>>> krb5_realm = UPPERCASE.REALM
> >>>>>>>>
> >>>>>>>> ldap_referrals = false
> >>>>>>>> ldap_schema = rfc2307bis
> >>>>>>>> ldap_access_order = expire
> >>>>>>>> ldap_account_expire_policy = ad
> >>>>>>>> ldap_force_upper_case_realm = true
> >>>>>>>>
> >>>>>>>> ldap_user_object_class = user
> >>>>>>>> ldap_user_name = sAMAccountName
> >>>>>>>> ldap_user_home_directory = unixHomeDirectory
> >>>>>>>> ldap_user_principal = userPrincipalName
> >>>>>>>>
> >>>>>>>> ldap_group_object_class = group
> >>>>>>>> ldap_group_name = sAMAccountName
> >>>>>>>>
> >>>>>>>> ldap_sasl_mech = GSSAPI
> >>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
> >>>>>>>> ldap_krb5_init_creds = true
> >>>>>>>>
> >>>>>>>> Rowland
> >>>>>>> @Rowland
> >>>>>>> Is the OP on sssd <= 1.9.x ?
> >>>>>>> Steve
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> He posted earlier that he was using Ubuntu 12.04, so I suggested
> >>>>>> that he
> >>>>>> used the sssd ppa. I believe that he is now using this ppa and if
> >>>>>> so, he
> >>>>>> should be using 1.11.1
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>> Yes that's what I did.
> >>>>>
> >>>>> But I think Steve would like to know the version on the laptop you're
> >>>>> curently using.
> >>>>>
> >>>> Thanks for confirming that, but you are the 'OP' he referred to, OP =
> >>>> original poster
> >>>>
> >>>> Rowland
> >>>
> >>> :-)
> >>>
> >>> Cyril
> >>
> >> OK. Glad we've got that one sorted.
> >>
> >> Just for completeness, here's a working 1.11.1 sssd.conf with all the ad
> >> and autofs bits:
> >> [sssd]
> >> #debug_level = 9
> >> services = nss, pam, autofs
> >> config_file_version = 2
> >> domains = default
> >>
> >> [nss]
> >>
> >> [pam]
> >>
> >> [autofs]
> >>
> >> [domain/default]
> >> #debug_level = 9
> >> dyndns_update=true
> >> #dyndns_refresh_interval = 8
> >> ad_hostname = catral.hh3.site
> >> ad_server = hh16.hh3.site
> >> ad_domain = hh3.site
> >>
> >> ldap_schema = ad
> >> id_provider = ad
> >> access_provider = ad
> >> enumerate = false
> >> cache_credentials = true
> >> #entry_cache_timeout = 60
> >> auth_provider = ad
> >> chpass_provider = ad
> >> krb5_realm = hh3.site
> >> krb5_server = hh16.hh3.site
> >> krb5_kpasswd = hh16.hh3.site
> >>
> >> ldap_id_mapping=false
> >> ldap_referrals = false
> >> ldap_uri = ldap://hh16.hh3.site
> >> ldap_search_base = dc=hh3,dc=site
> >> ldap_user_object_class = user
> >> ldap_user_name = samAccountName
> >> ldap_user_uid_number = uidNumber
> >> ldap_user_gid_number = gidNumber
> >> ldap_user_home_directory = unixHomeDirectory
> >> ldap_user_shell = loginShell
> >> ldap_group_object_class = group
> >> ldap_group_search_base = dc=hh3,dc=site
> >> ldap_group_name = cn
> >> ldap_group_member = member
> >>
> >> ldap_sasl_mech = gssapi
> >> ldap_sasl_authid = CATRAL$@HH3.SITE
> >> krb5_keytab = /etc/krb5.keytab
> >> ldap_krb5_init_creds = true
> >>
> >> autofs_provider=ldap
> >>
> >> #ldap_autofs_search_base =
> >> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
> >> #ldap_autofs_map_object_class = nisMap
> >> #ldap_autofs_entry_object_class = nisObject
> >> #ldap_autofs_map_name = nisMapName
> >> #ldap_autofs_entry_key = cn
> >> #ldap_autofs_entry_value = nisMapEntry
> >>
> >> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
> >> ldap_autofs_map_object_class = automountMap
> >> ldap_autofs_entry_object_class = automount
> >> ldap_autofs_map_name = automountMapName
> >> ldap_autofs_entry_key = automountKey
> >> ldap_autofs_entry_value = automountInformation
> >>
> >>
> >> Please note that we must canonicalise IP's. We must use a DNS resolvable
> >> name, NOT a series of mumbers. I think.
> >>
> >> HTH
> >> Steve
> >>
> >>
> >
> > I made an error on :
> > ldap_sasl_authid, I forget the $ sign
> > ad_hostname, I use the server name instead of workstation's one
> >
> > But it still not working.
> > But I have more information from sssd's log as I use debug_level = 9.
> >
> > May be an interesting one :
> > (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
> > select_principal_from_keytab] (0x0200): trying to select the most
> > appropriate principal from keytab
> > (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
> > [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> > (Thu Dec 19 18:47:56 2013)
> > [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
> > suitable principal found in keytab
> > (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
> > [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
> > (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
> > (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
> > (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
> > (0x0010): fatal error initializing data providers
> >
> > There's an issue with kerberos.
> >
> > The keytab have to be local ?
> > Or does the system use the server one ?
> >
> > Cyril
> >
> >
> >
> >
> If you use samba, then, when you join the machine to the domain, a
> keytab should be created '/etc/krb5.keytab' , are you using this keytab?
No. The OP is using a samba-tool generated keytab
at /etc/krb5.sssd.keytab
For simplicity, could I suggest using the machine key that was generated
in /etc/krb5.conf when the client joined the domain? Where is this
anyway? On a DC or on a client box?
If you generated the keytab on the DC then of course it must be
transferred to the client using e.g. scp or a usb memory.
Steve
> If unsure, have a look here:
> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>
> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup', ignore the
> bit about about creating a keytab on the windows server.
>
> Rowland
More information about the samba
mailing list