samba4 + kerberos + pam
Denis Cardon
denis.cardon at tranquil-it-systems.fr
Tue May 14 08:43:59 MDT 2013
Hi David,
> thanks for your response. As far as I understand the difference between your setup and mine is that you use sama3 as a client whilst I use samba4 as well on the client.
> The reason is that I want users to be able to log in in the AD server (which is running samba4) and have their kerberos ticket set up.
you don't need samba4 on the client for AD authentication. Samba 3 will
do it properly and it is much better documented. I think you should try it.
I published a small step by step documentation for a debian wheezy
system at
http://dev.tranquil.it/index.php/SAMBA_-_Int%C3%A9gration_Samba_membre_de_domaine
It is in French, but it should be fairly easy to understand. I just
tried it step by step on a fresh wheezy install and I got my ticket
after login:
dcardon at wheezy:~$ klist
Ticket cache: FILE:/tmp/krb5cc_20005
Default principal: dcardon at TRANQUILIT.LOCAL
Valid starting Expires Service principal
14/05/2013 16:40 15/05/2013 02:40 krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL
renew until 21/05/2013 16:40
14/05/2013 16:40 15/05/2013 02:40 WHEEZY$@TRANQUILIT.LOCAL
renew until 21/05/2013 16:40
I have the "pam_winbind.so use_first_pass krb5_auth
krb5_ccache_type=FILE" line both in auth and session. I don't know if it
necessary, but it works.
Cheers,
Denis
>
> When I set the same parameters as you do in /etc/pam.d/common-session no kerberos ticket is created when loging in with the domain user.
> I am using Ubuntu 12.04 which should be similar to your debian setup.
>
> Thanks,
>
> David
>
>
> Am Dienstag, 14. Mai 2013 14:20 CEST, Denis Cardon <denis.cardon at tranquil-it-systems.fr> schrieb:
>
>> Hi David,
>>
>>> I have a problem with samba4 and PAM Kerberos Authentication.
>>>
>>> I can login to my machine using the domain user/password (using pam) and manually create the Kerberos ticket (kinit).
>>> Now I want to automatically create a kerberos ticket on login.
>>>
>>> As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings.
>>>
>>> krb5_auth = yes
>>> krb5_ccache_type = FILE
>>>
>>> Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created.
>>>
>>> I'm using a self compiled version of samba (4.0.5).
>>>
>>> Is this a bug in samba4 or am I missing something?
>>
>> here we are using samba 4.0.5 AD server and pam_winbind auth for linux
>> clients and it does create the credential cache file properly. My Linux
>> clients are debian squeeze or wheezy based, and I have no experience
>> with redhat flavored linux though.
>>
>> By the way I don't see why the kerberos cache on client would have
>> something to do with the kerberos server.
>>
>> I don't know if there is an equivalent of /etc/security/pam_winbind.conf
>> on debian, but I have the same parameters directly in the pam.d files :
>>
>> $ cat /etc/pam.d/common-session
>> session [default=1] pam_permit.so
>> session requisite pam_deny.so
>> session required pam_permit.so
>> session required pam_unix.so
>> session optional pam_ck_connector.so nox11
>> session required pam_mkhomedir.so silent skel=/etc/skel.empty
>> session optional pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE
>>
>> I am sure my credential cache is correctly populated at logon since I
>> use it for authentication on apache and file servers.
>>
>> Cheers,
>>
>> Denis
>>
>>>
>>> Thanks!
>>>
>>> David
>>>
>>
>>
>> --
>> Denis Cardon
>> Tranquil IT Systems
>> Les Espaces Jules Verne, bâtiment A
>> 12 avenue Jules Verne
>> 44230 Saint Sébastien sur Loire
>> tel : +33 (0) 2.40.97.57.55
>> http://www.tranquil-it-systems.fr
>>
>
>
>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba-technical
mailing list