[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Rowland Penny
rowlandpenny at googlemail.com
Thu Dec 19 11:11:02 MST 2013
On 19/12/13 18:00, Cyril wrote:
> Le 19/12/2013 18:16, steve a écrit :
>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>> On 19/12/13 16:46, Cyril wrote:
>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I think I'm starting to understand how Linux client can be
>>>>>>>>>>>> integrated
>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>
>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>
>>>>>>>>>>>> Linux clients don't need Samba for authentication, only the
>>>>>>>>>>>> ldap
>>>>>>>>>>>> part of
>>>>>>>>>>>> samba.
>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>> user is
>>>>>>>>>>>> known or
>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>
>>>>>>>>>>>> So why should I need to install winbind and samba4 on the
>>>>>>>>>>>> linux
>>>>>>>>>>>> client ?
>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> Cyril
>>>>>>>>>>>>
>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>> Hi
>>>>>>>>>> Please post the censored content of:
>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>> and, for later:
>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>> Steve
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>
>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>
>>>>>>>>> [sssd]
>>>>>>>>> services = nss, pam
>>>>>>>>> config_file_version = 2
>>>>>>>>> domains = default
>>>>>>>>>
>>>>>>>>> [nss]
>>>>>>>>>
>>>>>>>>> [pam]
>>>>>>>>>
>>>>>>>>> [domain/default]
>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>
>>>>>>>>> ldap_schema = ad
>>>>>>>>> id_provider = ad
>>>>>>>>> access_provider = simple
>>>>>>>>>
>>>>>>>>> # on large directories, you may want to disable enumeration for
>>>>>>>>> performance reasons
>>>>>>>>> enumerate = true
>>>>>>>>>
>>>>>>>>> auth_provider = krb5
>>>>>>>>> chpass_provider = krb5
>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>
>>>>>>>>> ldap_referrals = false
>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>
>>>>>>>>> dyndns_update=false
>>>>>>>>>
>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>
>>>>>>>>> passwd: compat sss
>>>>>>>>> group: compat sss
>>>>>>>>> shadow: compat
>>>>>>>>>
>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>>> networks: files
>>>>>>>>>
>>>>>>>>> protocols: db files
>>>>>>>>> services: db files
>>>>>>>>> ethers: db files
>>>>>>>>> rpc: db files
>>>>>>>>>
>>>>>>>>> netgroup: nis
>>>>>>>>> sudoers: files sss
>>>>>>>>>
>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>> # prime the stack with a positive return value if there isn't one
>>>>>>>>> already;
>>>>>>>>> # this avoids us returning an error just because nothing sets a
>>>>>>>>> success code
>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>> auth required pam_permit.so
>>>>>>>>> # and here are more per-package modules (the "Additional" block)
>>>>>>>>> auth optional pam_cap.so
>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Cyril
>>>>>>>>>
>>>>>>>> As Steve says, might as well start with a new sssd.conf, here is a
>>>>>>>> working (sanitized) version from the laptop I am typing on ;-)
>>>>>>>>
>>>>>>>> [sssd]
>>>>>>>> config_file_version = 2
>>>>>>>> domains = default
>>>>>>>> services = nss, pam
>>>>>>>>
>>>>>>>> [nss]
>>>>>>>>
>>>>>>>> [pam]
>>>>>>>>
>>>>>>>> [domain/default]
>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>> cache_credentials = true
>>>>>>>> enumerate = true
>>>>>>>> id_provider = ldap
>>>>>>>> auth_provider = krb5
>>>>>>>> chpass_provider = krb5
>>>>>>>> access_provider = ldap
>>>>>>>> autofs_provider = ldap
>>>>>>>> sudo_provider = ldap
>>>>>>>>
>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>
>>>>>>>> ldap_referrals = false
>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>> ldap_access_order = expire
>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>
>>>>>>>> ldap_user_object_class = user
>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>
>>>>>>>> ldap_group_object_class = group
>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>
>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>
>>>>>>>> Rowland
>>>>>>> @Rowland
>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> He posted earlier that he was using Ubuntu 12.04, so I suggested
>>>>>> that he
>>>>>> used the sssd ppa. I believe that he is now using this ppa and if
>>>>>> so, he
>>>>>> should be using 1.11.1
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Yes that's what I did.
>>>>>
>>>>> But I think Steve would like to know the version on the laptop you're
>>>>> curently using.
>>>>>
>>>> Thanks for confirming that, but you are the 'OP' he referred to, OP =
>>>> original poster
>>>>
>>>> Rowland
>>>
>>> :-)
>>>
>>> Cyril
>>
>> OK. Glad we've got that one sorted.
>>
>> Just for completeness, here's a working 1.11.1 sssd.conf with all the ad
>> and autofs bits:
>> [sssd]
>> #debug_level = 9
>> services = nss, pam, autofs
>> config_file_version = 2
>> domains = default
>>
>> [nss]
>>
>> [pam]
>>
>> [autofs]
>>
>> [domain/default]
>> #debug_level = 9
>> dyndns_update=true
>> #dyndns_refresh_interval = 8
>> ad_hostname = catral.hh3.site
>> ad_server = hh16.hh3.site
>> ad_domain = hh3.site
>>
>> ldap_schema = ad
>> id_provider = ad
>> access_provider = ad
>> enumerate = false
>> cache_credentials = true
>> #entry_cache_timeout = 60
>> auth_provider = ad
>> chpass_provider = ad
>> krb5_realm = hh3.site
>> krb5_server = hh16.hh3.site
>> krb5_kpasswd = hh16.hh3.site
>>
>> ldap_id_mapping=false
>> ldap_referrals = false
>> ldap_uri = ldap://hh16.hh3.site
>> ldap_search_base = dc=hh3,dc=site
>> ldap_user_object_class = user
>> ldap_user_name = samAccountName
>> ldap_user_uid_number = uidNumber
>> ldap_user_gid_number = gidNumber
>> ldap_user_home_directory = unixHomeDirectory
>> ldap_user_shell = loginShell
>> ldap_group_object_class = group
>> ldap_group_search_base = dc=hh3,dc=site
>> ldap_group_name = cn
>> ldap_group_member = member
>>
>> ldap_sasl_mech = gssapi
>> ldap_sasl_authid = CATRAL$@HH3.SITE
>> krb5_keytab = /etc/krb5.keytab
>> ldap_krb5_init_creds = true
>>
>> autofs_provider=ldap
>>
>> #ldap_autofs_search_base =
>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>> #ldap_autofs_map_object_class = nisMap
>> #ldap_autofs_entry_object_class = nisObject
>> #ldap_autofs_map_name = nisMapName
>> #ldap_autofs_entry_key = cn
>> #ldap_autofs_entry_value = nisMapEntry
>>
>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>> ldap_autofs_map_object_class = automountMap
>> ldap_autofs_entry_object_class = automount
>> ldap_autofs_map_name = automountMapName
>> ldap_autofs_entry_key = automountKey
>> ldap_autofs_entry_value = automountInformation
>>
>>
>> Please note that we must canonicalise IP's. We must use a DNS resolvable
>> name, NOT a series of mumbers. I think.
>>
>> HTH
>> Steve
>>
>>
>
> I made an error on :
> ldap_sasl_authid, I forget the $ sign
> ad_hostname, I use the server name instead of workstation's one
>
> But it still not working.
> But I have more information from sssd's log as I use debug_level = 9.
>
> May be an interesting one :
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
> select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> (Thu Dec 19 18:47:56 2013)
> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
> suitable principal found in keytab
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
> (0x0010): fatal error initializing data providers
>
> There's an issue with kerberos.
>
> The keytab have to be local ?
> Or does the system use the server one ?
>
> Cyril
>
>
>
>
If you use samba, then, when you join the machine to the domain, a
keytab should be created '/etc/krb5.keytab' , are you using this keytab?
If unsure, have a look here:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup', ignore the
bit about about creating a keytab on the windows server.
Rowland
More information about the samba
mailing list