[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 19 09:53:57 MST 2013


On 19/12/13 16:46, Cyril wrote:
> Le 19/12/2013 17:42, Rowland Penny a écrit :
>> On 19/12/13 16:22, steve wrote:
>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>> On 19/12/13 15:53, Cyril wrote:
>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I think I'm starting to understand how Linux client can be
>>>>>>>> integrated
>>>>>>>> into a samba domain.
>>>>>>>>
>>>>>>>> Tell me if I'm wrong :
>>>>>>>>
>>>>>>>> Linux clients don't need Samba for authentication, only the ldap
>>>>>>>> part of
>>>>>>>> samba.
>>>>>>>> sssd through kerberos get information from ldap. If the user is
>>>>>>>> known or
>>>>>>>> get the right, he can log.
>>>>>>>>
>>>>>>>> So why should I need to install winbind and samba4 on the linux
>>>>>>>> client ?
>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Cyril
>>>>>>>>
>>>>>>> I can't get sssd working and I don't know why.
>>>>>> Hi
>>>>>> Please post the censored content of:
>>>>>> /etc/sssd/sssd.conf
>>>>>> and the passwd and group greps of:
>>>>>> /etc/nsswitch.conf
>>>>>> and, for later:
>>>>>> /etc/pam.d/common-auth
>>>>>> Steve
>>>>>>
>>>>>>
>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>
>>>>> /etc/sssd/sssd.conf :
>>>>>
>>>>> [sssd]
>>>>> services = nss, pam
>>>>> config_file_version = 2
>>>>> domains = default
>>>>>
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>> [domain/default]
>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>> ad_domain = sub-domain.domain.fr
>>>>>
>>>>> ldap_schema = ad
>>>>> id_provider = ad
>>>>> access_provider = simple
>>>>>
>>>>> # on large directories, you may want to disable enumeration for
>>>>> performance reasons
>>>>> enumerate = true
>>>>>
>>>>> auth_provider = krb5
>>>>> chpass_provider = krb5
>>>>> ldap_sasl_mech = gssapi
>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>> ldap_krb5_init_creds = true
>>>>>
>>>>> ldap_referrals = false
>>>>> ldap_uri = ldap://myserverIPadress
>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>
>>>>> dyndns_update=false
>>>>>
>>>>> /etc/nsswitch.conf
>>>>>
>>>>> passwd:         compat sss
>>>>> group:          compat sss
>>>>> shadow:         compat
>>>>>
>>>>> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>> networks:       files
>>>>>
>>>>> protocols:      db files
>>>>> services:       db files
>>>>> ethers:         db files
>>>>> rpc:            db files
>>>>>
>>>>> netgroup:       nis
>>>>> sudoers:        files sss
>>>>>
>>>>> /etc/pam.d/common-auth
>>>>>
>>>>>
>>>>> # here are the per-package modules (the "Primary" block)
>>>>> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
>>>>> # here's the fallback if no module succeeds
>>>>> auth    requisite                       pam_deny.so
>>>>> # prime the stack with a positive return value if there isn't one
>>>>> already;
>>>>> # this avoids us returning an error just because nothing sets a
>>>>> success code
>>>>> # since the modules above will each just jump around
>>>>> auth    required                        pam_permit.so
>>>>> # and here are more per-package modules (the "Additional" block)
>>>>> auth    optional                        pam_cap.so
>>>>> # end of pam-auth-update config
>>>>>
>>>>>
>>>>>
>>>>> Cyril
>>>>>
>>>> As Steve says, might as well start with a new sssd.conf, here is a
>>>> working (sanitized) version from the laptop I am typing on ;-)
>>>>
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains = default
>>>> services = nss, pam
>>>>
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [domain/default]
>>>> description = AD domain with Samba 4 server
>>>> cache_credentials = true
>>>> enumerate = true
>>>> id_provider = ldap
>>>> auth_provider = krb5
>>>> chpass_provider = krb5
>>>> access_provider = ldap
>>>> autofs_provider = ldap
>>>> sudo_provider = ldap
>>>>
>>>> krb5_server = your.Samba4server.FQDN
>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>> krb5_realm = UPPERCASE.REALM
>>>>
>>>> ldap_referrals = false
>>>> ldap_schema = rfc2307bis
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>>
>>>> ldap_user_object_class = user
>>>> ldap_user_name = sAMAccountName
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_principal = userPrincipalName
>>>>
>>>> ldap_group_object_class = group
>>>> ldap_group_name = sAMAccountName
>>>>
>>>> ldap_sasl_mech = GSSAPI
>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>> ldap_krb5_init_creds = true
>>>>
>>>> Rowland
>>> @Rowland
>>> Is the OP on sssd <= 1.9.x ?
>>> Steve
>>>
>>>
>>>
>> He posted earlier that he was using Ubuntu 12.04, so I suggested that he
>> used the sssd ppa. I believe that he is now using this ppa and if so, he
>> should be using 1.11.1
>>
>> Rowland
>>
> Yes that's what I did.
>
> But I think Steve would like to know the version on the laptop you're 
> curently using.
>
Thanks for confirming that, but you are the 'OP' he referred to, OP = 
original poster

Rowland


More information about the samba mailing list