[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 19 08:30:52 MST 2013


On 19/12/13 15:13, Cyril wrote:
> Le 19/12/2013 14:38, Rowland Penny a écrit :
>> On 19/12/13 13:27, Cyril wrote:
>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>> Hello,
>>>>
>>>> I think I'm starting to understand how Linux client can be integrated
>>>> into a samba domain.
>>>>
>>>> Tell me if I'm wrong :
>>>>
>>>> Linux clients don't need Samba for authentication, only the ldap 
>>>> part of
>>>> samba.
>>>> sssd through kerberos get information from ldap. If the user is 
>>>> known or
>>>> get the right, he can log.
>>>>
>>>> So why should I need to install winbind and samba4 on the linux 
>>>> client ?
>>>> Is it only if I have a Windows AD ?
>>>>
>>>>
>>>> Thanks
>>>> Cyril
>>>>
>>>
>>> I can't get sssd working and I don't know why.
>>>
>>> On the network, I have a samba4 install on a CentOS6.4.
>>> This server is also the DHCP server
>>> There's no other server on the domain.
>>>
>>> A Win7 workstation has already join the domain.
>>>
>>> I'm following this wiki :
>>>
>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd 
>>>
>>>
>>>
>>> to add a Linux workstation (Ubuntu 12.04 LTS) on the domain. The goal
>>> is to get users authenticate with the same users/password as windows 
>>> one.
>>>
>>> On the workstation :
>>> I have install sssd krb5-user package from ubuntu repository.
>>> The module libsasl2-modules-gssapi-MIT is already installed
>>>
>>> I have create a directory security in /lib64 and link file :
>>> # ln -s /usr/local/lib/security/pam_sss.so /lib64/security/
>>> Then when I do :
>>> ldconfig -v | grep sss
>>>         libnss_sss.so.2 -> libnss_sss.so.2
>>>
>>> On the server :
>>> I have extract the keytab.
>>>
>>> On the workstation :
>>> I have configure sssd.conf with LDAP as id_provider ( sssd version <
>>> 1.10.0)
>>> I check the /etc/nsswitch.conf. sss is already add.
>>>
>>> If I run :
>>> getent passwd
>>>
>>> I only get local profiles.
>>>
>>> Any idea of what I missed ?
>>> Is there other test I can do to know what's wrong ?
>>>
>>> Thanks,
>>> Cyril
>>>
>> You missed that there is a ppa with a later version of sssd ;-)
>>
>> nano /etc/apt/sources.list
>> Add:
>>
>> # sssd
>> deb http://ppa.launchpad.net/sssd/updates/ubuntu precise main
>> deb-src http://ppa.launchpad.net/sssd/updates/ubuntu precise main
>>
>> Then run the following commands:
>>
>> gpg --keyserver subkeys.pgp.net --recv B9BF7660CA45F42B
>>
>> gpg --export --armor CA45F42B | sudo apt-key add -
>>
>> apt-get update
>>
>> apt-get -y install sssd sssd-tools
>>
>> I take it that you have checked and altered /etc/sssd/sssd.conf to suit
>> your environment?
>>
>> Rowland
>>
> :-)
>
> I have remove sssd and sssd-tools and re-install from the ppa and 
> updated the sssd.conf file as the sssd version is > 1.10
>
> Now, I can run sss_cache !
>
> But getent passwd still give me local users.
>
> And in the log file, I have theses error :
> sssd_default.log :
> (Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [load_backend_module] 
> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
> (Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [be_process_init] 
> (0x0010): fatal error initializing data providers
> (Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [main] (0x0010): Could 
> not initialize backend [2]
>
> sssd.log
> (Thu Dec 19 15:44:42 2013) [sssd] [mt_svc_exit_handler] (0x0010): 
> Process [default], definitely stopped!
>
>
> how can i test Kerberos from the workstation ?
>
> Cyril
>
>
>
Who owns /etc/sssd/sssd.conf ? it should be root:root and 0600, if this 
how it is set, please post a sanitized version of sssd.conf

Rowland



More information about the samba mailing list