samba4 + kerberos + pam
David Feurle
david.feurle at sodgeit.de
Tue May 14 09:06:06 MDT 2013
Hi Denis,
I know that samba3 is great as a client. The only problem is that I
want to allow the login on the same machine - the AD Server.
As far as I know I can not run samba4 and samba3 on the same machine.
Thanks!
David
Am 14.05.2013 16:43, schrieb Denis Cardon:
> Hi David,
>
>> thanks for your response. As far as I understand the difference
>> between your setup and mine is that you use sama3 as a client whilst
>> I use samba4 as well on the client.
>> The reason is that I want users to be able to log in in the AD server
>> (which is running samba4) and have their kerberos ticket set up.
>
> you don't need samba4 on the client for AD authentication. Samba 3
> will do it properly and it is much better documented. I think you
> should try it.
>
> I published a small step by step documentation for a debian wheezy
> system at
> http://dev.tranquil.it/index.php/SAMBA_-_Int%C3%A9gration_Samba_membre_de_domaine
>
>
> It is in French, but it should be fairly easy to understand. I just
> tried it step by step on a fresh wheezy install and I got my ticket
> after login:
>
> dcardon at wheezy:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_20005
> Default principal: dcardon at TRANQUILIT.LOCAL
>
> Valid starting Expires Service principal
> 14/05/2013 16:40 15/05/2013 02:40
> krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL
> renew until 21/05/2013 16:40
> 14/05/2013 16:40 15/05/2013 02:40 WHEEZY$@TRANQUILIT.LOCAL
> renew until 21/05/2013 16:40
>
> I have the "pam_winbind.so use_first_pass krb5_auth
> krb5_ccache_type=FILE" line both in auth and session. I don't know if
> it necessary, but it works.
>
> Cheers,
>
> Denis
>
>
>>
>> When I set the same parameters as you do in /etc/pam.d/common-session
>> no kerberos ticket is created when loging in with the domain user.
>> I am using Ubuntu 12.04 which should be similar to your debian setup.
>>
>> Thanks,
>>
>> David
>>
>>
>> Am Dienstag, 14. Mai 2013 14:20 CEST, Denis Cardon
>> <denis.cardon at tranquil-it-systems.fr> schrieb:
>>
>>> Hi David,
>>>
>>>> I have a problem with samba4 and PAM Kerberos Authentication.
>>>>
>>>> I can login to my machine using the domain user/password (using
>>>> pam) and manually create the Kerberos ticket (kinit).
>>>> Now I want to automatically create a kerberos ticket on login.
>>>>
>>>> As stated in the wiki
>>>> (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I
>>>> need to create the config file in /etc/security/pam_winbind.conf
>>>> with the corresponding settings.
>>>>
>>>> krb5_auth = yes
>>>> krb5_ccache_type = FILE
>>>>
>>>> Im nearly sure that this file is used since I can set the debug
>>>> option in there and it is used. When I login with a domain user
>>>> /var/log/auth.log states success of kerberos and I have a shell,
>>>> but no ticket is created.
>>>>
>>>> I'm using a self compiled version of samba (4.0.5).
>>>>
>>>> Is this a bug in samba4 or am I missing something?
>>>
>>> here we are using samba 4.0.5 AD server and pam_winbind auth for linux
>>> clients and it does create the credential cache file properly. My Linux
>>> clients are debian squeeze or wheezy based, and I have no experience
>>> with redhat flavored linux though.
>>>
>>> By the way I don't see why the kerberos cache on client would have
>>> something to do with the kerberos server.
>>>
>>> I don't know if there is an equivalent of
>>> /etc/security/pam_winbind.conf
>>> on debian, but I have the same parameters directly in the pam.d files :
>>>
>>> $ cat /etc/pam.d/common-session
>>> session [default=1] pam_permit.so
>>> session requisite pam_deny.so
>>> session required pam_permit.so
>>> session required pam_unix.so
>>> session optional pam_ck_connector.so nox11
>>> session required pam_mkhomedir.so silent
>>> skel=/etc/skel.empty
>>> session optional pam_winbind.so krb5_auth
>>> krb5_ccache_type=FILE
>>>
>>> I am sure my credential cache is correctly populated at logon since I
>>> use it for authentication on apache and file servers.
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>>
>>>> Thanks!
>>>>
>>>> David
>>>>
>>>
>>>
>>> --
>>> Denis Cardon
>>> Tranquil IT Systems
>>> Les Espaces Jules Verne, bâtiment A
>>> 12 avenue Jules Verne
>>> 44230 Saint Sébastien sur Loire
>>> tel : +33 (0) 2.40.97.57.55
>>> http://www.tranquil-it-systems.fr
>>>
>>
>>
>>
>>
>>
>
>
More information about the samba-technical
mailing list