[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Thu Dec 19 11:00:42 MST 2013


Le 19/12/2013 18:16, steve a écrit :
> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>> On 19/12/13 16:46, Cyril wrote:
>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>> On 19/12/13 16:22, steve wrote:
>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I think I'm starting to understand how Linux client can be
>>>>>>>>>>> integrated
>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>
>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>
>>>>>>>>>>> Linux clients don't need Samba for authentication, only the ldap
>>>>>>>>>>> part of
>>>>>>>>>>> samba.
>>>>>>>>>>> sssd through kerberos get information from ldap. If the user is
>>>>>>>>>>> known or
>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>
>>>>>>>>>>> So why should I need to install winbind and samba4 on the linux
>>>>>>>>>>> client ?
>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> Cyril
>>>>>>>>>>>
>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>> Hi
>>>>>>>>> Please post the censored content of:
>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>> and the passwd and group greps of:
>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>> and, for later:
>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>
>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>
>>>>>>>> [sssd]
>>>>>>>> services = nss, pam
>>>>>>>> config_file_version = 2
>>>>>>>> domains = default
>>>>>>>>
>>>>>>>> [nss]
>>>>>>>>
>>>>>>>> [pam]
>>>>>>>>
>>>>>>>> [domain/default]
>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>
>>>>>>>> ldap_schema = ad
>>>>>>>> id_provider = ad
>>>>>>>> access_provider = simple
>>>>>>>>
>>>>>>>> # on large directories, you may want to disable enumeration for
>>>>>>>> performance reasons
>>>>>>>> enumerate = true
>>>>>>>>
>>>>>>>> auth_provider = krb5
>>>>>>>> chpass_provider = krb5
>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>
>>>>>>>> ldap_referrals = false
>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>
>>>>>>>> dyndns_update=false
>>>>>>>>
>>>>>>>> /etc/nsswitch.conf
>>>>>>>>
>>>>>>>> passwd:         compat sss
>>>>>>>> group:          compat sss
>>>>>>>> shadow:         compat
>>>>>>>>
>>>>>>>> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>> networks:       files
>>>>>>>>
>>>>>>>> protocols:      db files
>>>>>>>> services:       db files
>>>>>>>> ethers:         db files
>>>>>>>> rpc:            db files
>>>>>>>>
>>>>>>>> netgroup:       nis
>>>>>>>> sudoers:        files sss
>>>>>>>>
>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>
>>>>>>>>
>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>> auth    [success=1 default=ignore]      pam_unix.so nullok_secure
>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>> auth    requisite                       pam_deny.so
>>>>>>>> # prime the stack with a positive return value if there isn't one
>>>>>>>> already;
>>>>>>>> # this avoids us returning an error just because nothing sets a
>>>>>>>> success code
>>>>>>>> # since the modules above will each just jump around
>>>>>>>> auth    required                        pam_permit.so
>>>>>>>> # and here are more per-package modules (the "Additional" block)
>>>>>>>> auth    optional                        pam_cap.so
>>>>>>>> # end of pam-auth-update config
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Cyril
>>>>>>>>
>>>>>>> As Steve says, might as well start with a new sssd.conf, here is a
>>>>>>> working (sanitized) version from the laptop I am typing on ;-)
>>>>>>>
>>>>>>> [sssd]
>>>>>>> config_file_version = 2
>>>>>>> domains = default
>>>>>>> services = nss, pam
>>>>>>>
>>>>>>> [nss]
>>>>>>>
>>>>>>> [pam]
>>>>>>>
>>>>>>> [domain/default]
>>>>>>> description = AD domain with Samba 4 server
>>>>>>> cache_credentials = true
>>>>>>> enumerate = true
>>>>>>> id_provider = ldap
>>>>>>> auth_provider = krb5
>>>>>>> chpass_provider = krb5
>>>>>>> access_provider = ldap
>>>>>>> autofs_provider = ldap
>>>>>>> sudo_provider = ldap
>>>>>>>
>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>
>>>>>>> ldap_referrals = false
>>>>>>> ldap_schema = rfc2307bis
>>>>>>> ldap_access_order = expire
>>>>>>> ldap_account_expire_policy = ad
>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>
>>>>>>> ldap_user_object_class = user
>>>>>>> ldap_user_name = sAMAccountName
>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>
>>>>>>> ldap_group_object_class = group
>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>
>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>> ldap_krb5_init_creds = true
>>>>>>>
>>>>>>> Rowland
>>>>>> @Rowland
>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>> Steve
>>>>>>
>>>>>>
>>>>>>
>>>>> He posted earlier that he was using Ubuntu 12.04, so I suggested
>>>>> that he
>>>>> used the sssd ppa. I believe that he is now using this ppa and if
>>>>> so, he
>>>>> should be using 1.11.1
>>>>>
>>>>> Rowland
>>>>>
>>>> Yes that's what I did.
>>>>
>>>> But I think Steve would like to know the version on the laptop you're
>>>> curently using.
>>>>
>>> Thanks for confirming that, but you are the 'OP' he referred to, OP =
>>> original poster
>>>
>>> Rowland
>>
>> :-)
>>
>> Cyril
>
> OK. Glad we've got that one sorted.
>
> Just for completeness, here's a working 1.11.1 sssd.conf with all the ad
> and autofs bits:
>   [sssd]
> #debug_level = 9
> services = nss, pam, autofs
> config_file_version = 2
> domains = default
>
> [nss]
>
> [pam]
>
> [autofs]
>
> [domain/default]
> #debug_level = 9
> dyndns_update=true
> #dyndns_refresh_interval = 8
> ad_hostname = catral.hh3.site
> ad_server = hh16.hh3.site
> ad_domain = hh3.site
>
> ldap_schema = ad
> id_provider = ad
> access_provider = ad
> enumerate = false
> cache_credentials = true
> #entry_cache_timeout = 60
> auth_provider = ad
> chpass_provider = ad
> krb5_realm = hh3.site
> krb5_server = hh16.hh3.site
> krb5_kpasswd = hh16.hh3.site
>
> ldap_id_mapping=false
> ldap_referrals = false
> ldap_uri = ldap://hh16.hh3.site
> ldap_search_base = dc=hh3,dc=site
> ldap_user_object_class = user
> ldap_user_name = samAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_shell = loginShell
> ldap_group_object_class = group
> ldap_group_search_base = dc=hh3,dc=site
> ldap_group_name = cn
> ldap_group_member = member
>
> ldap_sasl_mech = gssapi
> ldap_sasl_authid = CATRAL$@HH3.SITE
> krb5_keytab = /etc/krb5.keytab
> ldap_krb5_init_creds = true
>
> autofs_provider=ldap
>
> #ldap_autofs_search_base =
> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
> #ldap_autofs_map_object_class = nisMap
> #ldap_autofs_entry_object_class = nisObject
> #ldap_autofs_map_name = nisMapName
> #ldap_autofs_entry_key = cn
> #ldap_autofs_entry_value = nisMapEntry
>
> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
> ldap_autofs_map_object_class = automountMap
> ldap_autofs_entry_object_class = automount
> ldap_autofs_map_name = automountMapName
> ldap_autofs_entry_key = automountKey
> ldap_autofs_entry_value = automountInformation
>
>
> Please note that we must canonicalise IP's. We must use a DNS resolvable
> name, NOT a series of mumbers. I think.
>
> HTH
> Steve
>
>

I made an error on :
ldap_sasl_authid, I forget the $ sign
ad_hostname, I use the server name instead of workstation's one

But it still not working.
But I have more information from sssd's log as I use debug_level = 9.

May be an interesting one :
(Thu Dec 19 18:47:52 2013) [sssd[be[default]]] 
select_principal_from_keytab] (0x0200): trying to select the most 
appropriate principal from keytab
(Thu Dec 19 18:47:52 2013) [sssd[be[default]] [find_principal_in_keytab] 
(0x0020): krb5_kt_start_seq_get failed.
(Thu Dec 19 18:47:56 2013) 
[sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable 
principal found in keytab
(Thu Dec 19 18:47:56 2013) [sssd[be[default]]] 
[ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
(Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module] 
(0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
(Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init] 
(0x0010): fatal error initializing data providers

There's an issue with kerberos.

The keytab have to be local ?
Or does the system use the server one ?

Cyril






More information about the samba mailing list