[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Cyril
cyril.lalinne at 3d-com.fr
Thu Dec 19 10:03:54 MST 2013
Le 19/12/2013 17:13, steve a écrit :
> On Thu, 2013-12-19 at 16:53 +0100, Cyril wrote:
>> Le 19/12/2013 16:05, steve a écrit :
>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>> Hello,
>>>>>
>>>>> I think I'm starting to understand how Linux client can be integrated
>>>>> into a samba domain.
>>>>>
>>>>> Tell me if I'm wrong :
>>>>>
>>>>> Linux clients don't need Samba for authentication, only the ldap part of
>>>>> samba.
>>>>> sssd through kerberos get information from ldap. If the user is known or
>>>>> get the right, he can log.
>>>>>
>>>>> So why should I need to install winbind and samba4 on the linux client ?
>>>>> Is it only if I have a Windows AD ?
>>>>>
>>>>>
>>>>> Thanks
>>>>> Cyril
>>>>>
>>>>
>>>> I can't get sssd working and I don't know why.
>>>
>>> Hi
>>> Please post the censored content of:
>>> /etc/sssd/sssd.conf
>>> and the passwd and group greps of:
>>> /etc/nsswitch.conf
>>> and, for later:
>>> /etc/pam.d/common-auth
>>> Steve
>>>
>>>
>>
>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>
>> /etc/sssd/sssd.conf :
>>
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains = default
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/default]
>> ad_hostname = myserver.sub-domain.domain.fr
>> ad_server = myserver.sub-domain.domain.fr
>> ad_domain = sub-domain.domain.fr
>>
>> ldap_schema = ad
>> id_provider = ad
>> access_provider = simple
>>
>> # on large directories, you may want to disable enumeration for
>> performance reasons
>> enumerate = true
>>
>> auth_provider = krb5
>> chpass_provider = krb5
>> ldap_sasl_mech = gssapi
>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>> krb5_server = myserver.sub-domain.domain.fr
>> krb5_kpasswd = myserver.sub-domain.domain.fr
>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>> ldap_krb5_init_creds = true
>> ldap_referrals = false
>> ldap_uri = ldap://myserverIPadress
>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>> dyndns_update=false
>
> Too much to correct. Cold you compare with a working config and change
> as necessary? E.g.
> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>
The configuration file is very different.
I'm running sssd 1.11.0, I should be able to use the AD id_provider.
I'll have a try with ldap id_provider.
>>
>> /etc/nsswitch.conf
>>
>> passwd: compat sss
>> group: compat sss
>> shadow: compat
>>
> OK
>
>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>> sudoers: files sss
>>
>> /etc/pam.d/common-auth
>>
>>
>> # here are the per-package modules (the "Primary" block)
>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>> # here's the fallback if no module succeeds
>> auth requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success code
>> # since the modules above will each just jump around
>> auth required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> auth optional pam_cap.so
>> # end of pam-auth-update config
>>
>
> Nope. We're gonna need to add sss here. But let's get connected first.
>
> Can you give us a:
> klist -ke /etc/krb5.sssd.keytab
> How did you create it?
>
> HTH
> Steve
>
>
Runnig klist -ke /etc/krb5.sssd.keytab on the server give me :
Keytab name: FILE:/etc/krb5.sssd.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-crc)
1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-md5)
1 myserver$@SUBDOMAIN.DOMAIN.FR (arcfour-hmac)
Is the "$" normal ?
I create this file running :
# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=myserver$
# chown root:root /etc/krb5.sssd.keytab
# chmod 600 /etc/krb5.sssd.keytab
weird this $ symbole at the end of the command no ?
I get this command from the wiki. here :
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd#Method_1:_Connecting_to_AD_via_Kerberos_.28recommended.29
Cyril
More information about the samba
mailing list