[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 19 09:42:18 MST 2013 

On 19/12/13 16:22, steve wrote:
> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>> On 19/12/13 15:53, Cyril wrote:
>>> Le 19/12/2013 16:05, steve a écrit :
>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>> Hello,
>>>>>>
>>>>>> I think I'm starting to understand how Linux client can be integrated
>>>>>> into a samba domain.
>>>>>>
>>>>>> Tell me if I'm wrong :
>>>>>>
>>>>>> Linux clients don't need Samba for authentication, only the ldap
>>>>>> part of
>>>>>> samba.
>>>>>> sssd through kerberos get information from ldap. If the user is
>>>>>> known or
>>>>>> get the right, he can log.
>>>>>>
>>>>>> So why should I need to install winbind and samba4 on the linux
>>>>>> client ?
>>>>>> Is it only if I have a Windows AD ?
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Cyril
>>>>>>
>>>>> I can't get sssd working and I don't know why.
>>>> Hi
>>>> Please post the censored content of:
>>>> /etc/sssd/sssd.conf
>>>> and the passwd and group greps of:
>>>> /etc/nsswitch.conf
>>>> and, for later:
>>>> /etc/pam.d/common-auth
>>>> Steve
>>>>
>>>>
>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>
>>> /etc/sssd/sssd.conf :
>>>
>>> [sssd]
>>> services = nss, pam
>>> config_file_version = 2
>>> domains = default
>>>
>>> [nss]
>>>
>>> [pam]
>>>
>>> [domain/default]
>>> ad_hostname = myserver.sub-domain.domain.fr
>>> ad_server = myserver.sub-domain.domain.fr
>>> ad_domain = sub-domain.domain.fr
>>>
>>> ldap_schema = ad
>>> id_provider = ad
>>> access_provider = simple
>>>
>>> # on large directories, you may want to disable enumeration for
>>> performance reasons
>>> enumerate = true
>>>
>>> auth_provider = krb5
>>> chpass_provider = krb5
>>> ldap_sasl_mech = gssapi
>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>> krb5_server = myserver.sub-domain.domain.fr
>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>> ldap_krb5_init_creds = true
>>>
>>> ldap_referrals = false
>>> ldap_uri = ldap://myserverIPadress
>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>
>>> dyndns_update=false
>>>
>>> /etc/nsswitch.conf
>>>
>>> passwd:         compat sss
>>> group:          compat sss
>>> shadow:         compat
>>>
>>> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>>> sudoers:        files sss
>>>
>>> /etc/pam.d/common-auth
>>>
>>>
>>> # here are the per-package modules (the "Primary" block)
>>> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
>>> # here's the fallback if no module succeeds
>>> auth    requisite                       pam_deny.so
>>> # prime the stack with a positive return value if there isn't one
>>> already;
>>> # this avoids us returning an error just because nothing sets a
>>> success code
>>> # since the modules above will each just jump around
>>> auth    required                        pam_permit.so
>>> # and here are more per-package modules (the "Additional" block)
>>> auth    optional                        pam_cap.so
>>> # end of pam-auth-update config
>>>
>>>
>>>
>>> Cyril
>>>
>> As Steve says, might as well start with a new sssd.conf, here is a
>> working (sanitized) version from the laptop I am typing on ;-)
>>
>> [sssd]
>> config_file_version = 2
>> domains = default
>> services = nss, pam
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/default]
>> description = AD domain with Samba 4 server
>> cache_credentials = true
>> enumerate = true
>> id_provider = ldap
>> auth_provider = krb5
>> chpass_provider = krb5
>> access_provider = ldap
>> autofs_provider = ldap
>> sudo_provider = ldap
>>
>> krb5_server = your.Samba4server.FQDN
>> krb5_kpasswd = your.Samba4server.FQDN
>> krb5_realm = UPPERCASE.REALM
>>
>> ldap_referrals = false
>> ldap_schema = rfc2307bis
>> ldap_access_order = expire
>> ldap_account_expire_policy = ad
>> ldap_force_upper_case_realm = true
>>
>> ldap_user_object_class = user
>> ldap_user_name = sAMAccountName
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_user_principal = userPrincipalName
>>
>> ldap_group_object_class = group
>> ldap_group_name = sAMAccountName
>>
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>> ldap_krb5_init_creds = true
>>
>> Rowland
> @Rowland
> Is the OP on sssd <= 1.9.x ?
> Steve
>
>
>
He posted earlier that he was using Ubuntu 12.04, so I suggested that he 
used the sssd ppa. I believe that he is now using this ppa and if so, he 
should be using 1.11.1

Rowland

More information about the samba mailing list