[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Rowland Penny
rowlandpenny at googlemail.com
Fri Dec 20 03:13:56 MST 2013
On 20/12/13 09:53, Cyril Lalinne wrote:
>
> Le 20/12/2013 10:44, Rowland Penny a écrit :
>> On 20/12/13 09:37, Cyril wrote:
>>> Le 19/12/2013 19:16, steve a écrit :
>>>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>>>> On 19/12/13 18:00, Cyril wrote:
>>>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I think I'm starting to understand how Linux client
>>>>>>>>>>>>>>>>> can be
>>>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Linux clients don't need Samba for authentication,
>>>>>>>>>>>>>>>>> only the
>>>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> So why should I need to install winbind and samba4 on the
>>>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # on large directories, you may want to disable
>>>>>>>>>>>>>> enumeration for
>>>>>>>>>>>>>> performance reasons
>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return]
>>>>>>>>>>>>>> mdns4
>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>>>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>>>> # prime the stack with a positive return value if there
>>>>>>>>>>>>>> isn't one
>>>>>>>>>>>>>> already;
>>>>>>>>>>>>>> # this avoids us returning an error just because nothing
>>>>>>>>>>>>>> sets a
>>>>>>>>>>>>>> success code
>>>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>>>> # and here are more per-package modules (the "Additional"
>>>>>>>>>>>>>> block)
>>>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>
>>>>>>>>>>>>> As Steve says, might as well start with a new sssd.conf,
>>>>>>>>>>>>> here is a
>>>>>>>>>>>>> working (sanitized) version from the laptop I am typing on
>>>>>>>>>>>>> ;-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>
>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>>>
>>>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>> @Rowland
>>>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>>>> Steve
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so I
>>>>>>>>>>> suggested
>>>>>>>>>>> that he
>>>>>>>>>>> used the sssd ppa. I believe that he is now using this ppa
>>>>>>>>>>> and if
>>>>>>>>>>> so, he
>>>>>>>>>>> should be using 1.11.1
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Yes that's what I did.
>>>>>>>>>>
>>>>>>>>>> But I think Steve would like to know the version on the
>>>>>>>>>> laptop you're
>>>>>>>>>> curently using.
>>>>>>>>>>
>>>>>>>>> Thanks for confirming that, but you are the 'OP' he referred
>>>>>>>>> to, OP =
>>>>>>>>> original poster
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> :-)
>>>>>>>>
>>>>>>>> Cyril
>>>>>>>
>>>>>>> OK. Glad we've got that one sorted.
>>>>>>>
>>>>>>> Just for completeness, here's a working 1.11.1 sssd.conf with
>>>>>>> all the ad
>>>>>>> and autofs bits:
>>>>>>> [sssd]
>>>>>>> #debug_level = 9
>>>>>>> services = nss, pam, autofs
>>>>>>> config_file_version = 2
>>>>>>> domains = default
>>>>>>>
>>>>>>> [nss]
>>>>>>>
>>>>>>> [pam]
>>>>>>>
>>>>>>> [autofs]
>>>>>>>
>>>>>>> [domain/default]
>>>>>>> #debug_level = 9
>>>>>>> dyndns_update=true
>>>>>>> #dyndns_refresh_interval = 8
>>>>>>> ad_hostname = catral.hh3.site
>>>>>>> ad_server = hh16.hh3.site
>>>>>>> ad_domain = hh3.site
>>>>>>>
>>>>>>> ldap_schema = ad
>>>>>>> id_provider = ad
>>>>>>> access_provider = ad
>>>>>>> enumerate = false
>>>>>>> cache_credentials = true
>>>>>>> #entry_cache_timeout = 60
>>>>>>> auth_provider = ad
>>>>>>> chpass_provider = ad
>>>>>>> krb5_realm = hh3.site
>>>>>>> krb5_server = hh16.hh3.site
>>>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>>>
>>>>>>> ldap_id_mapping=false
>>>>>>> ldap_referrals = false
>>>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>>>> ldap_search_base = dc=hh3,dc=site
>>>>>>> ldap_user_object_class = user
>>>>>>> ldap_user_name = samAccountName
>>>>>>> ldap_user_uid_number = uidNumber
>>>>>>> ldap_user_gid_number = gidNumber
>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>> ldap_user_shell = loginShell
>>>>>>> ldap_group_object_class = group
>>>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>>>> ldap_group_name = cn
>>>>>>> ldap_group_member = member
>>>>>>>
>>>>>>> ldap_sasl_mech = gssapi
>>>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>>>> krb5_keytab = /etc/krb5.keytab
>>>>>>> ldap_krb5_init_creds = true
>>>>>>>
>>>>>>> autofs_provider=ldap
>>>>>>>
>>>>>>> #ldap_autofs_search_base =
>>>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>>>> #ldap_autofs_map_object_class = nisMap
>>>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>>>> #ldap_autofs_map_name = nisMapName
>>>>>>> #ldap_autofs_entry_key = cn
>>>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>>>
>>>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>>>> ldap_autofs_map_object_class = automountMap
>>>>>>> ldap_autofs_entry_object_class = automount
>>>>>>> ldap_autofs_map_name = automountMapName
>>>>>>> ldap_autofs_entry_key = automountKey
>>>>>>> ldap_autofs_entry_value = automountInformation
>>>>>>>
>>>>>>>
>>>>>>> Please note that we must canonicalise IP's. We must use a DNS
>>>>>>> resolvable
>>>>>>> name, NOT a series of mumbers. I think.
>>>>>>>
>>>>>>> HTH
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> I made an error on :
>>>>>> ldap_sasl_authid, I forget the $ sign
>>>>>> ad_hostname, I use the server name instead of workstation's one
>>>>>>
>>>>>> But it still not working.
>>>>>> But I have more information from sssd's log as I use debug_level
>>>>>> = 9.
>>>>>>
>>>>>> May be an interesting one :
>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>>>> appropriate principal from keytab
>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>>>> (Thu Dec 19 18:47:56 2013)
>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>>> suitable principal found in keytab
>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
>>>>>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>>>> (0x0010): fatal error initializing data providers
>>>>>>
>>>>>> There's an issue with kerberos.
>>>>>>
>>>>>> The keytab have to be local ?
>>>>>> Or does the system use the server one ?
>>>>>>
>>>>>> Cyril
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> If you use samba, then, when you join the machine to the domain, a
>>>>> keytab should be created '/etc/krb5.keytab' , are you using this
>>>>> keytab?
>>>>
>>>> No. The OP is using a samba-tool generated keytab
>>>> at /etc/krb5.sssd.keytab
>>>>
>>>> For simplicity, could I suggest using the machine key that was
>>>> generated
>>>> in /etc/krb5.conf when the client joined the domain? Where is this
>>>> anyway? On a DC or on a client box?
>>>>
>>>> If you generated the keytab on the DC then of course it must be
>>>> transferred to the client using e.g. scp or a usb memory.
>>>>
>>>> Steve
>>>>
>>>>
>>>>> If unsure, have a look here:
>>>>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>>>
>>>>>
>>>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup',
>>>>> ignore the
>>>>> bit about about creating a keytab on the windows server.
>>>>>
>>>>> Rowland
>>>>
>>>>
>>> I copied the file /etc/krb5.sssd.keytab on the workstation.
>>>
>>> I had to reboot the workstation. Restarting the service sssd just hang.
>>> And I still have the same error :
>>>
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [sdap_set_sasl_options](0x2000): authid contains realm
>>> [SUBDOMAIN.DOMAIN.FR]
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [sdap_set_sasl_options](0x0100): Will look for
>>> myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>>> (Fri Dec 20 09:28:31 2013)
>>> [sssd[be[default]]][select_principal_from_keytab] (0x0200): trying
>>> to select the most appropriate principal from keytab
>>> (Fri Dec 20 09:28:31 2013)
>>> [sssd[be[default]]][find_principal_in_keytab] (0x0020):
>>> krb5_kt_start_seq_get failed.
>>> (Fri Dec 20 09:28:31 2013)
>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>> suitable principal found in keytab
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [load_backend_module](0x0010): Error (2) in module (ad)
>>> initialization (sssm_ad_id_init)!
>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>> [be_process_init](0x0010): fatal error initializing data providers
>>>
>>> If I run on the workstation :
>>> kinit administrator at SUBDOMAIN.DOMAIN.FR
>>> It ask me the admin password, then I have the warnig message aout
>>> expiration.
>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>> It also ask me a password but the admin's one doesn't work.
>>>
>>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>>> first before generating the keytab on the DC ?
>>>
>>> Cyril
>>>
>>>
>>>
>>>
>> What is actually in your keytab?
>>
>> Run ktutil on the client to find out:
>> sudo ktutil
>> ktutil: rkt /etc/krb5.sssd.keytab
>> ktutil: l
>>
>> and before you ask :
>>
>> ktutil: l <---- this is a lowercase L
>>
>> and then post the result here.
>>
>> Rowland
> Here is the result :
> ktutil: rkt /etc/krb5.sssd.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 1 myserver$@SUBDOMAIN.DOMAIN.FR
> 2 1 myserver$@SUBDOMAIN.DOMAIN.FR
> 3 1 myserver$@SUBDOMAIN.DOMAIN.FR
>
> Cyril
OK, try changing (in /etc/sssd/sssd.conf)
'ldap_krb5_keytab = /etc/krb5.sssd.keytab'
To
'krb5_keytab = /etc/krb5.sssd.keytab'
Rowland
More information about the samba
mailing list