[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Thu Dec 19 08:49:08 MST 2013

Le 19/12/2013 16:30, Rowland Penny a écrit :
> On 19/12/13 15:13, Cyril wrote:
>> Le 19/12/2013 14:38, Rowland Penny a écrit :
>>> On 19/12/13 13:27, Cyril wrote:
>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>> Hello,
>>>>>
>>>>> I think I'm starting to understand how Linux client can be integrated
>>>>> into a samba domain.
>>>>>
>>>>> Tell me if I'm wrong :
>>>>>
>>>>> Linux clients don't need Samba for authentication, only the ldap
>>>>> part of
>>>>> samba.
>>>>> sssd through kerberos get information from ldap. If the user is
>>>>> known or
>>>>> get the right, he can log.
>>>>>
>>>>> So why should I need to install winbind and samba4 on the linux
>>>>> client ?
>>>>> Is it only if I have a Windows AD ?
>>>>>
>>>>>
>>>>> Thanks
>>>>> Cyril
>>>>>
>>>>
>>>> I can't get sssd working and I don't know why.
>>>>
>>>> On the network, I have a samba4 install on a CentOS6.4.
>>>> This server is also the DHCP server
>>>> There's no other server on the domain.
>>>>
>>>> A Win7 workstation has already join the domain.
>>>>
>>>> I'm following this wiki :
>>>>
>>>> https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>>>>
>>>>
>>>>
>>>> to add a Linux workstation (Ubuntu 12.04 LTS) on the domain. The goal
>>>> is to get users authenticate with the same users/password as windows
>>>> one.
>>>>
>>>> On the workstation :
>>>> I have install sssd krb5-user package from ubuntu repository.
>>>> The module libsasl2-modules-gssapi-MIT is already installed
>>>>
>>>> I have create a directory security in /lib64 and link file :
>>>> # ln -s /usr/local/lib/security/pam_sss.so /lib64/security/
>>>> Then when I do :
>>>> ldconfig -v | grep sss
>>>>         libnss_sss.so.2 -> libnss_sss.so.2
>>>>
>>>> On the server :
>>>> I have extract the keytab.
>>>>
>>>> On the workstation :
>>>> I have configure sssd.conf with LDAP as id_provider ( sssd version <
>>>> 1.10.0)
>>>> I check the /etc/nsswitch.conf. sss is already add.
>>>>
>>>> If I run :
>>>> getent passwd
>>>>
>>>> I only get local profiles.
>>>>
>>>> Any idea of what I missed ?
>>>> Is there other test I can do to know what's wrong ?
>>>>
>>>> Thanks,
>>>> Cyril
>>>>
>>> You missed that there is a ppa with a later version of sssd ;-)
>>>
>>> nano /etc/apt/sources.list
>>> Add:
>>>
>>> # sssd
>>> deb http://ppa.launchpad.net/sssd/updates/ubuntu precise main
>>> deb-src http://ppa.launchpad.net/sssd/updates/ubuntu precise main
>>>
>>> Then run the following commands:
>>>
>>> gpg --keyserver subkeys.pgp.net --recv B9BF7660CA45F42B
>>>
>>> gpg --export --armor CA45F42B | sudo apt-key add -
>>>
>>> apt-get update
>>>
>>> apt-get -y install sssd sssd-tools
>>>
>>> I take it that you have checked and altered /etc/sssd/sssd.conf to suit
>>> your environment?
>>>
>>> Rowland
>>>
>> :-)
>>
>> I have remove sssd and sssd-tools and re-install from the ppa and
>> updated the sssd.conf file as the sssd version is > 1.10
>>
>> Now, I can run sss_cache !
>>
>> But getent passwd still give me local users.
>>
>> And in the log file, I have theses error :
>> sssd_default.log :
>> (Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [load_backend_module]
>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>> (Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [be_process_init]
>> (0x0010): fatal error initializing data providers
>> (Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [main] (0x0010): Could
>> not initialize backend [2]
>>
>> sssd.log
>> (Thu Dec 19 15:44:42 2013) [sssd] [mt_svc_exit_handler] (0x0010):
>> Process [default], definitely stopped!
>>
>>
>> how can i test Kerberos from the workstation ?
>>
>> Cyril
>>
>>
>>
> Who owns /etc/sssd/sssd.conf ? it should be root:root and 0600, if this
> how it is set, please post a sanitized version of sssd.conf
>
> Rowland
>
Root is owning the file and I did chmod 600 on it (I had the error in 
the log ;-)  )
I'll answer to steve with a copy of my configuration