[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
steve
steve at steve-ss.com
Thu Dec 19 09:13:30 MST 2013
On Thu, 2013-12-19 at 16:53 +0100, Cyril wrote:
> Le 19/12/2013 16:05, steve a écrit :
> > On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
> >> Le 18/12/2013 15:40, Cyril a écrit :
> >>> Hello,
> >>>
> >>> I think I'm starting to understand how Linux client can be integrated
> >>> into a samba domain.
> >>>
> >>> Tell me if I'm wrong :
> >>>
> >>> Linux clients don't need Samba for authentication, only the ldap part of
> >>> samba.
> >>> sssd through kerberos get information from ldap. If the user is known or
> >>> get the right, he can log.
> >>>
> >>> So why should I need to install winbind and samba4 on the linux client ?
> >>> Is it only if I have a Windows AD ?
> >>>
> >>>
> >>> Thanks
> >>> Cyril
> >>>
> >>
> >> I can't get sssd working and I don't know why.
> >
> > Hi
> > Please post the censored content of:
> > /etc/sssd/sssd.conf
> > and the passwd and group greps of:
> > /etc/nsswitch.conf
> > and, for later:
> > /etc/pam.d/common-auth
> > Steve
> >
> >
>
> The workstation is an Ubuntu 12.04 LTS 64Bit
>
> /etc/sssd/sssd.conf :
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = default
>
> [nss]
>
> [pam]
>
> [domain/default]
> ad_hostname = myserver.sub-domain.domain.fr
> ad_server = myserver.sub-domain.domain.fr
> ad_domain = sub-domain.domain.fr
>
> ldap_schema = ad
> id_provider = ad
> access_provider = simple
>
> # on large directories, you may want to disable enumeration for
> performance reasons
> enumerate = true
>
> auth_provider = krb5
> chpass_provider = krb5
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
> krb5_realm = SUBDOMAIN.DOMAIN.FR
> krb5_server = myserver.sub-domain.domain.fr
> krb5_kpasswd = myserver.sub-domain.domain.fr
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> ldap_krb5_init_creds = true
> ldap_referrals = false
> ldap_uri = ldap://myserverIPadress
> ldap_search_base = dc=subdomain,dc=domain,dc=fr
> dyndns_update=false
Too much to correct. Cold you compare with a working config and change
as necessary? E.g.
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>
> /etc/nsswitch.conf
>
> passwd: compat sss
> group: compat sss
> shadow: compat
>
OK
> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files sss
>
> /etc/pam.d/common-auth
>
>
> # here are the per-package modules (the "Primary" block)
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> auth optional pam_cap.so
> # end of pam-auth-update config
>
Nope. We're gonna need to add sss here. But let's get connected first.
Can you give us a:
klist -ke /etc/krb5.sssd.keytab
How did you create it?
HTH
Steve
More information about the samba
mailing list