[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Fri Dec 20 02:37:16 MST 2013


Le 19/12/2013 19:16, steve a écrit :
> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>> On 19/12/13 18:00, Cyril wrote:
>>> Le 19/12/2013 18:16, steve a écrit :
>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I think I'm starting to understand how Linux client can be
>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Linux clients don't need Samba for authentication, only the
>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So why should I need to install winbind and samba4 on the
>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>
>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>> Hi
>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>> and, for later:
>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>> Steve
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>
>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>
>>>>>>>>>>> [sssd]
>>>>>>>>>>> services = nss, pam
>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>> domains = default
>>>>>>>>>>>
>>>>>>>>>>> [nss]
>>>>>>>>>>>
>>>>>>>>>>> [pam]
>>>>>>>>>>>
>>>>>>>>>>> [domain/default]
>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>
>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>> id_provider = ad
>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>
>>>>>>>>>>> # on large directories, you may want to disable enumeration for
>>>>>>>>>>> performance reasons
>>>>>>>>>>> enumerate = true
>>>>>>>>>>>
>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>
>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>
>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>
>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>
>>>>>>>>>>> passwd:         compat sss
>>>>>>>>>>> group:          compat sss
>>>>>>>>>>> shadow:         compat
>>>>>>>>>>>
>>>>>>>>>>> hosts:          files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>>>>> networks:       files
>>>>>>>>>>>
>>>>>>>>>>> protocols:      db files
>>>>>>>>>>> services:       db files
>>>>>>>>>>> ethers:         db files
>>>>>>>>>>> rpc:            db files
>>>>>>>>>>>
>>>>>>>>>>> netgroup:       nis
>>>>>>>>>>> sudoers:        files sss
>>>>>>>>>>>
>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>> auth    [success=1 default=ignore] pam_unix.so nullok_secure
>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>> auth    requisite pam_deny.so
>>>>>>>>>>> # prime the stack with a positive return value if there isn't one
>>>>>>>>>>> already;
>>>>>>>>>>> # this avoids us returning an error just because nothing sets a
>>>>>>>>>>> success code
>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>> auth    required pam_permit.so
>>>>>>>>>>> # and here are more per-package modules (the "Additional" block)
>>>>>>>>>>> auth    optional                        pam_cap.so
>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Cyril
>>>>>>>>>>>
>>>>>>>>>> As Steve says, might as well start with a new sssd.conf, here is a
>>>>>>>>>> working (sanitized) version from the laptop I am typing on ;-)
>>>>>>>>>>
>>>>>>>>>> [sssd]
>>>>>>>>>> config_file_version = 2
>>>>>>>>>> domains = default
>>>>>>>>>> services = nss, pam
>>>>>>>>>>
>>>>>>>>>> [nss]
>>>>>>>>>>
>>>>>>>>>> [pam]
>>>>>>>>>>
>>>>>>>>>> [domain/default]
>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>> cache_credentials = true
>>>>>>>>>> enumerate = true
>>>>>>>>>> id_provider = ldap
>>>>>>>>>> auth_provider = krb5
>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>> access_provider = ldap
>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>
>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>
>>>>>>>>>> ldap_referrals = false
>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>
>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>
>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>
>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>> @Rowland
>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so I suggested
>>>>>>>> that he
>>>>>>>> used the sssd ppa. I believe that he is now using this ppa and if
>>>>>>>> so, he
>>>>>>>> should be using 1.11.1
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> Yes that's what I did.
>>>>>>>
>>>>>>> But I think Steve would like to know the version on the laptop you're
>>>>>>> curently using.
>>>>>>>
>>>>>> Thanks for confirming that, but you are the 'OP' he referred to, OP =
>>>>>> original poster
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> :-)
>>>>>
>>>>> Cyril
>>>>
>>>> OK. Glad we've got that one sorted.
>>>>
>>>> Just for completeness, here's a working 1.11.1 sssd.conf with all the ad
>>>> and autofs bits:
>>>>    [sssd]
>>>> #debug_level = 9
>>>> services = nss, pam, autofs
>>>> config_file_version = 2
>>>> domains = default
>>>>
>>>> [nss]
>>>>
>>>> [pam]
>>>>
>>>> [autofs]
>>>>
>>>> [domain/default]
>>>> #debug_level = 9
>>>> dyndns_update=true
>>>> #dyndns_refresh_interval = 8
>>>> ad_hostname = catral.hh3.site
>>>> ad_server = hh16.hh3.site
>>>> ad_domain = hh3.site
>>>>
>>>> ldap_schema = ad
>>>> id_provider = ad
>>>> access_provider = ad
>>>> enumerate = false
>>>> cache_credentials = true
>>>> #entry_cache_timeout = 60
>>>> auth_provider = ad
>>>> chpass_provider = ad
>>>> krb5_realm = hh3.site
>>>> krb5_server = hh16.hh3.site
>>>> krb5_kpasswd = hh16.hh3.site
>>>>
>>>> ldap_id_mapping=false
>>>> ldap_referrals = false
>>>> ldap_uri = ldap://hh16.hh3.site
>>>> ldap_search_base = dc=hh3,dc=site
>>>> ldap_user_object_class = user
>>>> ldap_user_name = samAccountName
>>>> ldap_user_uid_number = uidNumber
>>>> ldap_user_gid_number = gidNumber
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_shell = loginShell
>>>> ldap_group_object_class = group
>>>> ldap_group_search_base = dc=hh3,dc=site
>>>> ldap_group_name = cn
>>>> ldap_group_member = member
>>>>
>>>> ldap_sasl_mech = gssapi
>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>> krb5_keytab = /etc/krb5.keytab
>>>> ldap_krb5_init_creds = true
>>>>
>>>> autofs_provider=ldap
>>>>
>>>> #ldap_autofs_search_base =
>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>> #ldap_autofs_map_object_class = nisMap
>>>> #ldap_autofs_entry_object_class = nisObject
>>>> #ldap_autofs_map_name = nisMapName
>>>> #ldap_autofs_entry_key = cn
>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>
>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>> ldap_autofs_map_object_class = automountMap
>>>> ldap_autofs_entry_object_class = automount
>>>> ldap_autofs_map_name = automountMapName
>>>> ldap_autofs_entry_key = automountKey
>>>> ldap_autofs_entry_value = automountInformation
>>>>
>>>>
>>>> Please note that we must canonicalise IP's. We must use a DNS resolvable
>>>> name, NOT a series of mumbers. I think.
>>>>
>>>> HTH
>>>> Steve
>>>>
>>>>
>>>
>>> I made an error on :
>>> ldap_sasl_authid, I forget the $ sign
>>> ad_hostname, I use the server name instead of workstation's one
>>>
>>> But it still not working.
>>> But I have more information from sssd's log as I use debug_level = 9.
>>>
>>> May be an interesting one :
>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>> select_principal_from_keytab] (0x0200): trying to select the most
>>> appropriate principal from keytab
>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>> (Thu Dec 19 18:47:56 2013)
>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>> suitable principal found in keytab
>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
>>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>> (0x0010): fatal error initializing data providers
>>>
>>> There's an issue with kerberos.
>>>
>>> The keytab have to be local ?
>>> Or does the system use the server one ?
>>>
>>> Cyril
>>>
>>>
>>>
>>>
>> If you use samba, then, when you join the machine to the domain, a
>> keytab should be created '/etc/krb5.keytab' , are you using this keytab?
>
> No. The OP is using a samba-tool generated keytab
> at /etc/krb5.sssd.keytab
>
> For simplicity, could I suggest using the machine key that was generated
> in /etc/krb5.conf when the client joined the domain? Where is this
> anyway? On a DC or on a client box?
>
> If you generated the keytab on the DC then of course it must be
> transferred to the client using e.g. scp or a usb memory.
>
> Steve
>
>
>> If unsure, have a look here:
>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>>
>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup', ignore the
>> bit about about creating a keytab on the windows server.
>>
>> Rowland
>
>
I copied the file /etc/krb5.sssd.keytab on the workstation.

I had to reboot the workstation. Restarting the service sssd just hang.
And I still have the same error :

(Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
[sdap_set_sasl_options](0x2000): authid contains realm [SUBDOMAIN.DOMAIN.FR]
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
[sdap_set_sasl_options](0x0100): Will look for 
myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
(Fri Dec 20 09:28:31 2013) 
[sssd[be[default]]][select_principal_from_keytab] (0x0200): trying to 
select the most appropriate principal from keytab
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]][find_principal_in_keytab] 
(0x0020): krb5_kt_start_seq_get failed.
(Fri Dec 20 09:28:31 2013) 
[sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable 
principal found in keytab
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
[ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
[load_backend_module](0x0010): Error (2) in module (ad) initialization 
(sssm_ad_id_init)!
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
[be_process_init](0x0010): fatal error initializing data providers

If I run on the workstation :
kinit administrator at SUBDOMAIN.DOMAIN.FR
It ask me the admin password, then I have the warnig message aout 
expiration.
kinit myserver$@SUBDOMAIN.DOMAIN.FR
It also ask me a password but the admin's one doesn't work.

Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR 
first before generating the keytab on the DC ?

Cyril






More information about the samba mailing list