[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril Lalinne cyril.lalinne at 3d-com.fr
Thu Dec 19 10:00:26 MST 2013 

Le 19/12/2013 17:53, Rowland Penny a écrit :
> On 19/12/13 16:46, Cyril wrote:
>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>> On 19/12/13 16:22, steve wrote:
>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I think I'm starting to understand how Linux client can be
>>>>>>>>> integrated
>>>>>>>>> into a samba domain.
>>>>>>>>>
>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>
>>>>>>>>> Linux clients don't need Samba for authentication, only the ldap
>>>>>>>>> part of
>>>>>>>>> samba.
>>>>>>>>> sssd through kerberos get information from ldap. If the user is
>>>>>>>>> known or
>>>>>>>>> get the right, he can log.
>>>>>>>>>
>>>>>>>>> So why should I need to install winbind and samba4 on the linux
>>>>>>>>> client ?
>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Cyril
>>>>>>>>>
>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>> Hi
>>>>>>> Please post the censored content of:
>>>>>>> /etc/sssd/sssd.conf
>>>>>>> and the passwd and group greps of:
>>>>>>> /etc/nsswitch.conf
>>>>>>> and, for later:
>>>>>>> /etc/pam.d/common-auth
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>
>>>>>> /etc/sssd/sssd.conf :
>>>>>>
>>>>>> [sssd]
>>>>>> services = nss, pam
>>>>>> config_file_version = 2
>>>>>> domains = default
>>>>>>
>>>>>> [nss]
>>>>>>
>>>>>> [pam]
>>>>>>
>>>>>> [domain/default]
>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>
>>>>>> ldap_schema = ad
>>>>>> id_provider = ad
>>>>>> access_provider = simple
>>>>>>
>>>>>> # on large directories, you may want to disable enumeration for
>>>>>> performance reasons
>>>>>> enumerate = true
>>>>>>
>>>>>> auth_provider = krb5
>>>>>> chpass_provider = krb5
>>>>>> ldap_sasl_mech = gssapi
>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>> ldap_krb5_init_creds = true
>>>>>>
>>>>>> ldap_referrals = false
>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>
>>>>>> dyndns_update=false
>>>>>>
>>>>>> /etc/nsswitch.conf
>>>>>>
>>>>>> passwd:         compat sss
>>>>>> group:          compat sss
>>>>>> shadow:         compat
>>>>>>
>>>>>> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>> networks:       files
>>>>>>
>>>>>> protocols:      db files
>>>>>> services:       db files
>>>>>> ethers:         db files
>>>>>> rpc:            db files
>>>>>>
>>>>>> netgroup:       nis
>>>>>> sudoers:        files sss
>>>>>>
>>>>>> /etc/pam.d/common-auth
>>>>>>
>>>>>>
>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
>>>>>> # here's the fallback if no module succeeds
>>>>>> auth    requisite                       pam_deny.so
>>>>>> # prime the stack with a positive return value if there isn't one
>>>>>> already;
>>>>>> # this avoids us returning an error just because nothing sets a
>>>>>> success code
>>>>>> # since the modules above will each just jump around
>>>>>> auth    required                        pam_permit.so
>>>>>> # and here are more per-package modules (the "Additional" block)
>>>>>> auth    optional                        pam_cap.so
>>>>>> # end of pam-auth-update config
>>>>>>
>>>>>>
>>>>>>
>>>>>> Cyril
>>>>>>
>>>>> As Steve says, might as well start with a new sssd.conf, here is a
>>>>> working (sanitized) version from the laptop I am typing on ;-)
>>>>>
>>>>> [sssd]
>>>>> config_file_version = 2
>>>>> domains = default
>>>>> services = nss, pam
>>>>>
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>> [domain/default]
>>>>> description = AD domain with Samba 4 server
>>>>> cache_credentials = true
>>>>> enumerate = true
>>>>> id_provider = ldap
>>>>> auth_provider = krb5
>>>>> chpass_provider = krb5
>>>>> access_provider = ldap
>>>>> autofs_provider = ldap
>>>>> sudo_provider = ldap
>>>>>
>>>>> krb5_server = your.Samba4server.FQDN
>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>> krb5_realm = UPPERCASE.REALM
>>>>>
>>>>> ldap_referrals = false
>>>>> ldap_schema = rfc2307bis
>>>>> ldap_access_order = expire
>>>>> ldap_account_expire_policy = ad
>>>>> ldap_force_upper_case_realm = true
>>>>>
>>>>> ldap_user_object_class = user
>>>>> ldap_user_name = sAMAccountName
>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>> ldap_user_principal = userPrincipalName
>>>>>
>>>>> ldap_group_object_class = group
>>>>> ldap_group_name = sAMAccountName
>>>>>
>>>>> ldap_sasl_mech = GSSAPI
>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>> ldap_krb5_init_creds = true
>>>>>
>>>>> Rowland
>>>> @Rowland
>>>> Is the OP on sssd <= 1.9.x ?
>>>> Steve
>>>>
>>>>
>>>>
>>> He posted earlier that he was using Ubuntu 12.04, so I suggested 
>>> that he
>>> used the sssd ppa. I believe that he is now using this ppa and if 
>>> so, he
>>> should be using 1.11.1
>>>
>>> Rowland
>>>
>> Yes that's what I did.
>>
>> But I think Steve would like to know the version on the laptop you're 
>> curently using.
>>
> Thanks for confirming that, but you are the 'OP' he referred to, OP = 
> original poster
>
> Rowland

:-)

Cyril

More information about the samba mailing list