[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Rowland Penny
rowlandpenny at googlemail.com
Fri Dec 20 03:06:48 MST 2013
On 20/12/13 09:53, Cyril Lalinne wrote:
>
> Le 20/12/2013 10:44, Rowland Penny a écrit :
>> On 20/12/13 09:37, Cyril wrote:
>>> Le 19/12/2013 19:16, steve a écrit :
>>>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>>>> On 19/12/13 18:00, Cyril wrote:
>>>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I think I'm starting to understand how Linux client
>>>>>>>>>>>>>>>>> can be
>>>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Linux clients don't need Samba for authentication,
>>>>>>>>>>>>>>>>> only the
>>>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> So why should I need to install winbind and samba4 on the
>>>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # on large directories, you may want to disable
>>>>>>>>>>>>>> enumeration for
>>>>>>>>>>>>>> performance reasons
>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return]
>>>>>>>>>>>>>> mdns4
>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>>>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>>>> # prime the stack with a positive return value if there
>>>>>>>>>>>>>> isn't one
>>>>>>>>>>>>>> already;
>>>>>>>>>>>>>> # this avoids us returning an error just because nothing
>>>>>>>>>>>>>> sets a
>>>>>>>>>>>>>> success code
>>>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>>>> # and here are more per-package modules (the "Additional"
>>>>>>>>>>>>>> block)
>>>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>
>>>>>>>>>>>>> As Steve says, might as well start with a new sssd.conf,
>>>>>>>>>>>>> here is a
>>>>>>>>>>>>> working (sanitized) version from the laptop I am typing on
>>>>>>>>>>>>> ;-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>
>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>>>
>>>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>> @Rowland
>>>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>>>> Steve
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so I
>>>>>>>>>>> suggested
>>>>>>>>>>> that he
>>>>>>>>>>> used the sssd ppa. I believe that he is now using this ppa
>>>>>>>>>>> and if
>>>>>>>>>>> so, he
>>>>>>>>>>> should be using 1.11.1
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Yes that's what I did.
>>>>>>>>>>
>>>>>>>>>> But I think Steve would like to know the version on the
>>>>>>>>>> laptop you're
>>>>>>>>>> curently using.
>>>>>>>>>>
>>>>>>>>> Thanks for confirming that, but you are the 'OP' he referred
>>>>>>>>> to, OP =
>>>>>>>>> original poster
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> :-)
>>>>>>>>
>>>>>>>> Cyril
>>>>>>>
>>>>>>> OK. Glad we've got that one sorted.
>>>>>>>
>>>>>>> Just for completeness, here's a working 1.11.1 sssd.conf with
>>>>>>> all the ad
>>>>>>> and autofs bits:
>>>>>>> [sssd]
>>>>>>> #debug_level = 9
>>>>>>> services = nss, pam, autofs
>>>>>>> config_file_version = 2
>>>>>>> domains = default
>>>>>>>
>>>>>>> [nss]
>>>>>>>
>>>>>>> [pam]
>>>>>>>
>>>>>>> [autofs]
>>>>>>>
>>>>>>> [domain/default]
>>>>>>> #debug_level = 9
>>>>>>> dyndns_update=true
>>>>>>> #dyndns_refresh_interval = 8
>>>>>>> ad_hostname = catral.hh3.site
>>>>>>> ad_server = hh16.hh3.site
>>>>>>> ad_domain = hh3.site
>>>>>>>
>>>>>>> ldap_schema = ad
>>>>>>> id_provider = ad
>>>>>>> access_provider = ad
>>>>>>> enumerate = false
>>>>>>> cache_credentials = true
>>>>>>> #entry_cache_timeout = 60
>>>>>>> auth_provider = ad
>>>>>>> chpass_provider = ad
>>>>>>> krb5_realm = hh3.site
>>>>>>> krb5_server = hh16.hh3.site
>>>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>>>
>>>>>>> ldap_id_mapping=false
>>>>>>> ldap_referrals = false
>>>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>>>> ldap_search_base = dc=hh3,dc=site
>>>>>>> ldap_user_object_class = user
>>>>>>> ldap_user_name = samAccountName
>>>>>>> ldap_user_uid_number = uidNumber
>>>>>>> ldap_user_gid_number = gidNumber
>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>> ldap_user_shell = loginShell
>>>>>>> ldap_group_object_class = group
>>>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>>>> ldap_group_name = cn
>>>>>>> ldap_group_member = member
>>>>>>>
>>>>>>> ldap_sasl_mech = gssapi
>>>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>>>> krb5_keytab = /etc/krb5.keytab
>>>>>>> ldap_krb5_init_creds = true
>>>>>>>
>>>>>>> autofs_provider=ldap
>>>>>>>
>>>>>>> #ldap_autofs_search_base =
>>>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>>>> #ldap_autofs_map_object_class = nisMap
>>>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>>>> #ldap_autofs_map_name = nisMapName
>>>>>>> #ldap_autofs_entry_key = cn
>>>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>>>
>>>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>>>> ldap_autofs_map_object_class = automountMap
>>>>>>> ldap_autofs_entry_object_class = automount
>>>>>>> ldap_autofs_map_name = automountMapName
>>>>>>> ldap_autofs_entry_key = automountKey
>>>>>>> ldap_autofs_entry_value = automountInformation
>>>>>>>
>>>>>>>
>>>>>>> Please note that we must canonicalise IP's. We must use a DNS
>>>>>>> resolvable
>>>>>>> name, NOT a series of mumbers. I think.
>>>>>>>
>>>>>>> HTH
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> I made an error on :
>>>>>> ldap_sasl_authid, I forget the $ sign
>>>>>> ad_hostname, I use the server name instead of workstation's one
>>>>>>
>>>>>> But it still not working.
>>>>>> But I have more information from sssd's log as I use debug_level
>>>>>> = 9.
>>>>>>
>>>>>> May be an interesting one :
>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>>>> appropriate principal from keytab
>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>>>> (Thu Dec 19 18:47:56 2013)
>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>>> suitable principal found in keytab
>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
>>>>>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>>>> (0x0010): fatal error initializing data providers
>>>>>>
>>>>>> There's an issue with kerberos.
>>>>>>
>>>>>> The keytab have to be local ?
>>>>>> Or does the system use the server one ?
>>>>>>
>>>>>> Cyril
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> If you use samba, then, when you join the machine to the domain, a
>>>>> keytab should be created '/etc/krb5.keytab' , are you using this
>>>>> keytab?
>>>>
>>>> No. The OP is using a samba-tool generated keytab
>>>> at /etc/krb5.sssd.keytab
>>>>
>>>> For simplicity, could I suggest using the machine key that was
>>>> generated
>>>> in /etc/krb5.conf when the client joined the domain? Where is this
>>>> anyway? On a DC or on a client box?
>>>>
>>>> If you generated the keytab on the DC then of course it must be
>>>> transferred to the client using e.g. scp or a usb memory.
>>>>
>>>> Steve
>>>>
>>>>
>>>>> If unsure, have a look here:
>>>>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>>>
>>>>>
>>>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup',
>>>>> ignore the
>>>>> bit about about creating a keytab on the windows server.
>>>>>
>>>>> Rowland
>>>>
>>>>
>>> I copied the file /etc/krb5.sssd.keytab on the workstation.
>>>
>>> I had to reboot the workstation. Restarting the service sssd just hang.
>>> And I still have the same error :
>>>
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [sdap_set_sasl_options](0x2000): authid contains realm
>>> [SUBDOMAIN.DOMAIN.FR]
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [sdap_set_sasl_options](0x0100): Will look for
>>> myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>>> (Fri Dec 20 09:28:31 2013)
>>> [sssd[be[default]]][select_principal_from_keytab] (0x0200): trying
>>> to select the most appropriate principal from keytab
>>> (Fri Dec 20 09:28:31 2013)
>>> [sssd[be[default]]][find_principal_in_keytab] (0x0020):
>>> krb5_kt_start_seq_get failed.
>>> (Fri Dec 20 09:28:31 2013)
>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>> suitable principal found in keytab
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [load_backend_module](0x0010): Error (2) in module (ad)
>>> initialization (sssm_ad_id_init)!
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [be_process_init](0x0010): fatal error initializing data providers
>>>
>>> If I run on the workstation :
>>> kinit administrator at SUBDOMAIN.DOMAIN.FR
>>> It ask me the admin password, then I have the warnig message aout
>>> expiration.
>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>> It also ask me a password but the admin's one doesn't work.
>>>
>>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>>> first before generating the keytab on the DC ?
>>>
>>> Cyril
>>>
>>>
>>>
>>>
>> What is actually in your keytab?
>>
>> Run ktutil on the client to find out:
>> sudo ktutil
>> ktutil: rkt /etc/krb5.sssd.keytab
>> ktutil: l
>>
>> and before you ask :
>>
>> ktutil: l <---- this is a lowercase L
>>
>> and then post the result here.
>>
>> Rowland
> Here is the result :
> ktutil: rkt /etc/krb5.sssd.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 myserver$@SUBDOMAIN.DOMAIN.FR
> 2 1 myserver$@SUBDOMAIN.DOMAIN.FR
> 3 1 myserver$@SUBDOMAIN.DOMAIN.FR
>
> Cyril
Well, that looks ok, but how did you create the keytab? I seem to
remember that you copied it across from the server, so who does it
belong to and what are the permissions? I have samba running on my
client and joined the machine to the domain and /etc/krb5.keytab was
created, owned by root:root and rw only for root.
Looking at what you posted, it seems that it cannot find your principal
in the default keytab, does this mean that it is looking for
/etc/krb5.keytab ?
Rowland
More information about the samba
mailing list