samba4 + kerberos + pam

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue May 14 08:43:59 MDT 2013 

Hi David,

> thanks for your response. As far as I understand the difference between your setup and mine is that you use sama3 as a client whilst I use samba4 as well on the client.
> The reason is that I want users to be able to log in in the AD server (which is running samba4) and have their kerberos ticket set up.

you don't need samba4 on the client for AD authentication. Samba 3 will 
do it properly and it is much better documented. I think you should try it.

I published a small step by step documentation for a debian wheezy 
system at
http://dev.tranquil.it/index.php/SAMBA_-_Int%C3%A9gration_Samba_membre_de_domaine

It is in French, but it should be fairly easy to understand. I just 
tried it step by step on a fresh wheezy install and I got my ticket 
after login:

dcardon at wheezy:~$ klist
Ticket cache: FILE:/tmp/krb5cc_20005
Default principal: dcardon at TRANQUILIT.LOCAL

Valid starting    Expires           Service principal
14/05/2013 16:40  15/05/2013 02:40  krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL
	renew until 21/05/2013 16:40
14/05/2013 16:40  15/05/2013 02:40  WHEEZY$@TRANQUILIT.LOCAL
	renew until 21/05/2013 16:40

I have the "pam_winbind.so use_first_pass krb5_auth 
krb5_ccache_type=FILE" line both in auth and session. I don't know if it 
necessary, but it works.

Cheers,

Denis


>
> When I set the same parameters as you do in /etc/pam.d/common-session no kerberos ticket is created when loging in with the domain user.
> I am using Ubuntu 12.04 which should be similar to your debian setup.
>
> Thanks,
>
> David
>
>
> Am Dienstag, 14. Mai 2013 14:20 CEST, Denis Cardon <denis.cardon at tranquil-it-systems.fr> schrieb:
>
>> Hi David,
>>
>>> I have a problem with samba4 and PAM Kerberos Authentication.
>>>
>>> I can login to my machine using the domain user/password (using pam) and manually create the Kerberos ticket (kinit).
>>> Now I want to automatically create a kerberos ticket on login.
>>>
>>> As stated in the wiki (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I need to create the config file in /etc/security/pam_winbind.conf with the corresponding settings.
>>>
>>> krb5_auth = yes
>>> krb5_ccache_type = FILE
>>>
>>> Im nearly sure that this file is used since I can set the debug option in there and it is used. When I login with a domain user /var/log/auth.log states success of kerberos and I have a shell, but no ticket is created.
>>>
>>> I'm using a self compiled version of samba (4.0.5).
>>>
>>> Is this a bug in samba4 or am I missing something?
>>
>> here we are using samba 4.0.5 AD server and pam_winbind auth for linux
>> clients and it does create the credential cache file properly. My Linux
>> clients are debian squeeze or wheezy based, and I have no experience
>> with redhat flavored linux though.
>>
>> By the way I don't see why the kerberos cache on client would have
>> something to do with the kerberos server.
>>
>> I don't know if there is an equivalent of /etc/security/pam_winbind.conf
>> on debian, but I have the same parameters directly in the pam.d files :
>>
>> $ cat /etc/pam.d/common-session
>> session	 [default=1]			pam_permit.so
>> session	 requisite			pam_deny.so
>> session	 required			pam_permit.so
>> session	 required	                pam_unix.so
>> session	 optional			pam_ck_connector.so nox11
>> session	 required			pam_mkhomedir.so silent skel=/etc/skel.empty
>> session  optional                       pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE
>>
>> I am sure my credential cache is correctly populated at logon since I
>> use it for authentication on apache and file servers.
>>
>> Cheers,
>>
>> Denis
>>
>>>
>>> Thanks!
>>>
>>> David
>>>
>>
>>
>> --
>> Denis Cardon
>> Tranquil IT Systems
>> Les Espaces Jules Verne, bâtiment A
>> 12 avenue Jules Verne
>> 44230 Saint Sébastien sur Loire
>> tel : +33 (0) 2.40.97.57.55
>> http://www.tranquil-it-systems.fr
>>
>
>
>
>
>


-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba-technical mailing list