[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Thu Dec 19 08:53:42 MST 2013


Le 19/12/2013 16:05, steve a écrit :
> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>> Le 18/12/2013 15:40, Cyril a écrit :
>>> Hello,
>>>
>>> I think I'm starting to understand how Linux client can be integrated
>>> into a samba domain.
>>>
>>> Tell me if I'm wrong :
>>>
>>> Linux clients don't need Samba for authentication, only the ldap part of
>>> samba.
>>> sssd through kerberos get information from ldap. If the user is known or
>>> get the right, he can log.
>>>
>>> So why should I need to install winbind and samba4 on the linux client ?
>>> Is it only if I have a Windows AD ?
>>>
>>>
>>> Thanks
>>> Cyril
>>>
>>
>> I can't get sssd working and I don't know why.
>
> Hi
> Please post the censored content of:
> /etc/sssd/sssd.conf
> and the passwd and group greps of:
> /etc/nsswitch.conf
> and, for later:
> /etc/pam.d/common-auth
> Steve
>
>

The workstation is an Ubuntu 12.04 LTS 64Bit

/etc/sssd/sssd.conf :

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
ad_hostname = myserver.sub-domain.domain.fr
ad_server = myserver.sub-domain.domain.fr
ad_domain = sub-domain.domain.fr

ldap_schema = ad
id_provider = ad
access_provider = simple

# on large directories, you may want to disable enumeration for 
performance reasons
enumerate = true

auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
krb5_realm = SUBDOMAIN.DOMAIN.FR
krb5_server = myserver.sub-domain.domain.fr
krb5_kpasswd = myserver.sub-domain.domain.fr
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true

ldap_referrals = false
ldap_uri = ldap://myserverIPadress
ldap_search_base = dc=subdomain,dc=domain,dc=fr

dyndns_update=false

/etc/nsswitch.conf

passwd:         compat sss
group:          compat sss
shadow:         compat

hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files sss

/etc/pam.d/common-auth


# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config



Cyril



More information about the samba mailing list