[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Thu Dec 19 09:46:43 MST 2013

Le 19/12/2013 17:42, Rowland Penny a écrit :
> On 19/12/13 16:22, steve wrote:
>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>> On 19/12/13 15:53, Cyril wrote:
>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>> Hello,
>>>>>>>
>>>>>>> I think I'm starting to understand how Linux client can be
>>>>>>> integrated
>>>>>>> into a samba domain.
>>>>>>>
>>>>>>> Tell me if I'm wrong :
>>>>>>>
>>>>>>> Linux clients don't need Samba for authentication, only the ldap
>>>>>>> part of
>>>>>>> samba.
>>>>>>> sssd through kerberos get information from ldap. If the user is
>>>>>>> known or
>>>>>>> get the right, he can log.
>>>>>>>
>>>>>>> So why should I need to install winbind and samba4 on the linux
>>>>>>> client ?
>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Cyril
>>>>>>>
>>>>>> I can't get sssd working and I don't know why.
>>>>> Hi
>>>>> Please post the censored content of:
>>>>> /etc/sssd/sssd.conf
>>>>> and the passwd and group greps of:
>>>>> /etc/nsswitch.conf
>>>>> and, for later:
>>>>> /etc/pam.d/common-auth
>>>>> Steve
>>>>>
>>>>>
>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>
>>>> /etc/sssd/sssd.conf :
>>>>
>>>> [sssd]
>>>> services = nss, pam
>>>> config_file_version = 2
>>>> domains = default
>>>>
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [domain/default]
>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>> ad_server = myserver.sub-domain.domain.fr
>>>> ad_domain = sub-domain.domain.fr
>>>>
>>>> ldap_schema = ad
>>>> id_provider = ad
>>>> access_provider = simple
>>>>
>>>> # on large directories, you may want to disable enumeration for
>>>> performance reasons
>>>> enumerate = true
>>>>
>>>> auth_provider = krb5
>>>> chpass_provider = krb5
>>>> ldap_sasl_mech = gssapi
>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>> krb5_server = myserver.sub-domain.domain.fr
>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>> ldap_krb5_init_creds = true
>>>>
>>>> ldap_referrals = false
>>>> ldap_uri = ldap://myserverIPadress
>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>
>>>> dyndns_update=false
>>>>
>>>> /etc/nsswitch.conf
>>>>
>>>> passwd:         compat sss
>>>> group:          compat sss
>>>> shadow:         compat
>>>>
>>>> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>> networks:       files
>>>>
>>>> protocols:      db files
>>>> services:       db files
>>>> ethers:         db files
>>>> rpc:            db files
>>>>
>>>> netgroup:       nis
>>>> sudoers:        files sss
>>>>
>>>> /etc/pam.d/common-auth
>>>>
>>>>
>>>> # here are the per-package modules (the "Primary" block)
>>>> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
>>>> # here's the fallback if no module succeeds
>>>> auth    requisite                       pam_deny.so
>>>> # prime the stack with a positive return value if there isn't one
>>>> already;
>>>> # this avoids us returning an error just because nothing sets a
>>>> success code
>>>> # since the modules above will each just jump around
>>>> auth    required                        pam_permit.so
>>>> # and here are more per-package modules (the "Additional" block)
>>>> auth    optional                        pam_cap.so
>>>> # end of pam-auth-update config
>>>>
>>>>
>>>>
>>>> Cyril
>>>>
>>> As Steve says, might as well start with a new sssd.conf, here is a
>>> working (sanitized) version from the laptop I am typing on ;-)
>>>
>>> [sssd]
>>> config_file_version = 2
>>> domains = default
>>> services = nss, pam
>>>
>>> [nss]
>>>
>>> [pam]
>>>
>>> [domain/default]
>>> description = AD domain with Samba 4 server
>>> cache_credentials = true
>>> enumerate = true
>>> id_provider = ldap
>>> auth_provider = krb5
>>> chpass_provider = krb5
>>> access_provider = ldap
>>> autofs_provider = ldap
>>> sudo_provider = ldap
>>>
>>> krb5_server = your.Samba4server.FQDN
>>> krb5_kpasswd = your.Samba4server.FQDN
>>> krb5_realm = UPPERCASE.REALM
>>>
>>> ldap_referrals = false
>>> ldap_schema = rfc2307bis
>>> ldap_access_order = expire
>>> ldap_account_expire_policy = ad
>>> ldap_force_upper_case_realm = true
>>>
>>> ldap_user_object_class = user
>>> ldap_user_name = sAMAccountName
>>> ldap_user_home_directory = unixHomeDirectory
>>> ldap_user_principal = userPrincipalName
>>>
>>> ldap_group_object_class = group
>>> ldap_group_name = sAMAccountName
>>>
>>> ldap_sasl_mech = GSSAPI
>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>> ldap_krb5_init_creds = true
>>>
>>> Rowland
>> @Rowland
>> Is the OP on sssd <= 1.9.x ?
>> Steve
>>
>>
>>
> He posted earlier that he was using Ubuntu 12.04, so I suggested that he
> used the sssd ppa. I believe that he is now using this ppa and if so, he
> should be using 1.11.1
>
> Rowland
>
Yes that's what I did.

But I think Steve would like to know the version on the laptop you're 
curently using.