[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

steve steve at steve-ss.com
Thu Dec 19 09:22:49 MST 2013


On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
> On 19/12/13 15:53, Cyril wrote:
> > Le 19/12/2013 16:05, steve a écrit :
> >> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
> >>> Le 18/12/2013 15:40, Cyril a écrit :
> >>>> Hello,
> >>>>
> >>>> I think I'm starting to understand how Linux client can be integrated
> >>>> into a samba domain.
> >>>>
> >>>> Tell me if I'm wrong :
> >>>>
> >>>> Linux clients don't need Samba for authentication, only the ldap 
> >>>> part of
> >>>> samba.
> >>>> sssd through kerberos get information from ldap. If the user is 
> >>>> known or
> >>>> get the right, he can log.
> >>>>
> >>>> So why should I need to install winbind and samba4 on the linux 
> >>>> client ?
> >>>> Is it only if I have a Windows AD ?
> >>>>
> >>>>
> >>>> Thanks
> >>>> Cyril
> >>>>
> >>>
> >>> I can't get sssd working and I don't know why.
> >>
> >> Hi
> >> Please post the censored content of:
> >> /etc/sssd/sssd.conf
> >> and the passwd and group greps of:
> >> /etc/nsswitch.conf
> >> and, for later:
> >> /etc/pam.d/common-auth
> >> Steve
> >>
> >>
> >
> > The workstation is an Ubuntu 12.04 LTS 64Bit
> >
> > /etc/sssd/sssd.conf :
> >
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = default
> >
> > [nss]
> >
> > [pam]
> >
> > [domain/default]
> > ad_hostname = myserver.sub-domain.domain.fr
> > ad_server = myserver.sub-domain.domain.fr
> > ad_domain = sub-domain.domain.fr
> >
> > ldap_schema = ad
> > id_provider = ad
> > access_provider = simple
> >
> > # on large directories, you may want to disable enumeration for 
> > performance reasons
> > enumerate = true
> >
> > auth_provider = krb5
> > chpass_provider = krb5
> > ldap_sasl_mech = gssapi
> > ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
> > krb5_realm = SUBDOMAIN.DOMAIN.FR
> > krb5_server = myserver.sub-domain.domain.fr
> > krb5_kpasswd = myserver.sub-domain.domain.fr
> > ldap_krb5_keytab = /etc/krb5.sssd.keytab
> > ldap_krb5_init_creds = true
> >
> > ldap_referrals = false
> > ldap_uri = ldap://myserverIPadress
> > ldap_search_base = dc=subdomain,dc=domain,dc=fr
> >
> > dyndns_update=false
> >
> > /etc/nsswitch.conf
> >
> > passwd:         compat sss
> > group:          compat sss
> > shadow:         compat
> >
> > hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> > sudoers:        files sss
> >
> > /etc/pam.d/common-auth
> >
> >
> > # here are the per-package modules (the "Primary" block)
> > auth    [success=1 default=ignore]      pam_unix.so nullok_secure
> > # here's the fallback if no module succeeds
> > auth    requisite                       pam_deny.so
> > # prime the stack with a positive return value if there isn't one 
> > already;
> > # this avoids us returning an error just because nothing sets a 
> > success code
> > # since the modules above will each just jump around
> > auth    required                        pam_permit.so
> > # and here are more per-package modules (the "Additional" block)
> > auth    optional                        pam_cap.so
> > # end of pam-auth-update config
> >
> >
> >
> > Cyril
> >
> As Steve says, might as well start with a new sssd.conf, here is a 
> working (sanitized) version from the laptop I am typing on ;-)
> 
> [sssd]
> config_file_version = 2
> domains = default
> services = nss, pam
> 
> [nss]
> 
> [pam]
> 
> [domain/default]
> description = AD domain with Samba 4 server
> cache_credentials = true
> enumerate = true
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> access_provider = ldap
> autofs_provider = ldap
> sudo_provider = ldap
> 
> krb5_server = your.Samba4server.FQDN
> krb5_kpasswd = your.Samba4server.FQDN
> krb5_realm = UPPERCASE.REALM
> 
> ldap_referrals = false
> ldap_schema = rfc2307bis
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
> 
> ldap_user_object_class = user
> ldap_user_name = sAMAccountName
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> 
> ldap_group_object_class = group
> ldap_group_name = sAMAccountName
> 
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
> ldap_krb5_init_creds = true
> 
> Rowland

@Rowland
Is the OP on sssd <= 1.9.x ?
Steve





More information about the samba mailing list