[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 19 09:17:35 MST 2013


On 19/12/13 15:53, Cyril wrote:
> Le 19/12/2013 16:05, steve a écrit :
>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>> Hello,
>>>>
>>>> I think I'm starting to understand how Linux client can be integrated
>>>> into a samba domain.
>>>>
>>>> Tell me if I'm wrong :
>>>>
>>>> Linux clients don't need Samba for authentication, only the ldap 
>>>> part of
>>>> samba.
>>>> sssd through kerberos get information from ldap. If the user is 
>>>> known or
>>>> get the right, he can log.
>>>>
>>>> So why should I need to install winbind and samba4 on the linux 
>>>> client ?
>>>> Is it only if I have a Windows AD ?
>>>>
>>>>
>>>> Thanks
>>>> Cyril
>>>>
>>>
>>> I can't get sssd working and I don't know why.
>>
>> Hi
>> Please post the censored content of:
>> /etc/sssd/sssd.conf
>> and the passwd and group greps of:
>> /etc/nsswitch.conf
>> and, for later:
>> /etc/pam.d/common-auth
>> Steve
>>
>>
>
> The workstation is an Ubuntu 12.04 LTS 64Bit
>
> /etc/sssd/sssd.conf :
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = default
>
> [nss]
>
> [pam]
>
> [domain/default]
> ad_hostname = myserver.sub-domain.domain.fr
> ad_server = myserver.sub-domain.domain.fr
> ad_domain = sub-domain.domain.fr
>
> ldap_schema = ad
> id_provider = ad
> access_provider = simple
>
> # on large directories, you may want to disable enumeration for 
> performance reasons
> enumerate = true
>
> auth_provider = krb5
> chpass_provider = krb5
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
> krb5_realm = SUBDOMAIN.DOMAIN.FR
> krb5_server = myserver.sub-domain.domain.fr
> krb5_kpasswd = myserver.sub-domain.domain.fr
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
> ldap_krb5_init_creds = true
>
> ldap_referrals = false
> ldap_uri = ldap://myserverIPadress
> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>
> dyndns_update=false
>
> /etc/nsswitch.conf
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
>
> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
> sudoers:        files sss
>
> /etc/pam.d/common-auth
>
>
> # here are the per-package modules (the "Primary" block)
> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
> # here's the fallback if no module succeeds
> auth    requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one 
> already;
> # this avoids us returning an error just because nothing sets a 
> success code
> # since the modules above will each just jump around
> auth    required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> auth    optional                        pam_cap.so
> # end of pam-auth-update config
>
>
>
> Cyril
>
As Steve says, might as well start with a new sssd.conf, here is a 
working (sanitized) version from the laptop I am typing on ;-)

[sssd]
config_file_version = 2
domains = default
services = nss, pam

[nss]

[pam]

[domain/default]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
autofs_provider = ldap
sudo_provider = ldap

krb5_server = your.Samba4server.FQDN
krb5_kpasswd = your.Samba4server.FQDN
krb5_realm = UPPERCASE.REALM

ldap_referrals = false
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_object_class = group
ldap_group_name = sAMAccountName

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
ldap_krb5_init_creds = true

Rowland


More information about the samba mailing list