[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril Lalinne cyril.lalinne at 3d-com.fr
Fri Dec 20 03:16:26 MST 2013


Le 20/12/2013 11:06, Rowland Penny a écrit :
> On 20/12/13 09:53, Cyril Lalinne wrote:
>>
>> Le 20/12/2013 10:44, Rowland Penny a écrit :
>>> On 20/12/13 09:37, Cyril wrote:
>>>> Le 19/12/2013 19:16, steve a écrit :
>>>>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>>>>> On 19/12/13 18:00, Cyril wrote:
>>>>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I think I'm starting to understand how Linux client 
>>>>>>>>>>>>>>>>>> can be
>>>>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Linux clients don't need Samba for authentication, 
>>>>>>>>>>>>>>>>>> only the
>>>>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> So why should I need to install winbind and samba4 on 
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # on large directories, you may want to disable 
>>>>>>>>>>>>>>> enumeration for
>>>>>>>>>>>>>>> performance reasons
>>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> passwd:         compat sss
>>>>>>>>>>>>>>> group:          compat sss
>>>>>>>>>>>>>>> shadow:         compat
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> hosts:          files mdns4_minimal dns 
>>>>>>>>>>>>>>> [NOTFOUND=return] mdns4
>>>>>>>>>>>>>>> networks:       files
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> protocols:      db files
>>>>>>>>>>>>>>> services:       db files
>>>>>>>>>>>>>>> ethers:         db files
>>>>>>>>>>>>>>> rpc:            db files
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> netgroup:       nis
>>>>>>>>>>>>>>> sudoers:        files sss
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>>>>> auth    [success=1 default=ignore] pam_unix.so 
>>>>>>>>>>>>>>> nullok_secure
>>>>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>>>>> auth    requisite pam_deny.so
>>>>>>>>>>>>>>> # prime the stack with a positive return value if there 
>>>>>>>>>>>>>>> isn't one
>>>>>>>>>>>>>>> already;
>>>>>>>>>>>>>>> # this avoids us returning an error just because nothing 
>>>>>>>>>>>>>>> sets a
>>>>>>>>>>>>>>> success code
>>>>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>>>>> auth    required pam_permit.so
>>>>>>>>>>>>>>> # and here are more per-package modules (the 
>>>>>>>>>>>>>>> "Additional" block)
>>>>>>>>>>>>>>> auth    optional pam_cap.so
>>>>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As Steve says, might as well start with a new sssd.conf, 
>>>>>>>>>>>>>> here is a
>>>>>>>>>>>>>> working (sanitized) version from the laptop I am typing 
>>>>>>>>>>>>>> on ;-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> @Rowland
>>>>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so I 
>>>>>>>>>>>> suggested
>>>>>>>>>>>> that he
>>>>>>>>>>>> used the sssd ppa. I believe that he is now using this ppa 
>>>>>>>>>>>> and if
>>>>>>>>>>>> so, he
>>>>>>>>>>>> should be using 1.11.1
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>> Yes that's what I did.
>>>>>>>>>>>
>>>>>>>>>>> But I think Steve would like to know the version on the 
>>>>>>>>>>> laptop you're
>>>>>>>>>>> curently using.
>>>>>>>>>>>
>>>>>>>>>> Thanks for confirming that, but you are the 'OP' he referred 
>>>>>>>>>> to, OP =
>>>>>>>>>> original poster
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>> :-)
>>>>>>>>>
>>>>>>>>> Cyril
>>>>>>>>
>>>>>>>> OK. Glad we've got that one sorted.
>>>>>>>>
>>>>>>>> Just for completeness, here's a working 1.11.1 sssd.conf with 
>>>>>>>> all the ad
>>>>>>>> and autofs bits:
>>>>>>>>    [sssd]
>>>>>>>> #debug_level = 9
>>>>>>>> services = nss, pam, autofs
>>>>>>>> config_file_version = 2
>>>>>>>> domains = default
>>>>>>>>
>>>>>>>> [nss]
>>>>>>>>
>>>>>>>> [pam]
>>>>>>>>
>>>>>>>> [autofs]
>>>>>>>>
>>>>>>>> [domain/default]
>>>>>>>> #debug_level = 9
>>>>>>>> dyndns_update=true
>>>>>>>> #dyndns_refresh_interval = 8
>>>>>>>> ad_hostname = catral.hh3.site
>>>>>>>> ad_server = hh16.hh3.site
>>>>>>>> ad_domain = hh3.site
>>>>>>>>
>>>>>>>> ldap_schema = ad
>>>>>>>> id_provider = ad
>>>>>>>> access_provider = ad
>>>>>>>> enumerate = false
>>>>>>>> cache_credentials = true
>>>>>>>> #entry_cache_timeout = 60
>>>>>>>> auth_provider = ad
>>>>>>>> chpass_provider = ad
>>>>>>>> krb5_realm = hh3.site
>>>>>>>> krb5_server = hh16.hh3.site
>>>>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>>>>
>>>>>>>> ldap_id_mapping=false
>>>>>>>> ldap_referrals = false
>>>>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>>>>> ldap_search_base = dc=hh3,dc=site
>>>>>>>> ldap_user_object_class = user
>>>>>>>> ldap_user_name = samAccountName
>>>>>>>> ldap_user_uid_number = uidNumber
>>>>>>>> ldap_user_gid_number = gidNumber
>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>> ldap_user_shell = loginShell
>>>>>>>> ldap_group_object_class = group
>>>>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>>>>> ldap_group_name = cn
>>>>>>>> ldap_group_member = member
>>>>>>>>
>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>>>>> krb5_keytab = /etc/krb5.keytab
>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>
>>>>>>>> autofs_provider=ldap
>>>>>>>>
>>>>>>>> #ldap_autofs_search_base =
>>>>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>>>>> #ldap_autofs_map_object_class = nisMap
>>>>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>>>>> #ldap_autofs_map_name = nisMapName
>>>>>>>> #ldap_autofs_entry_key = cn
>>>>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>>>>
>>>>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>>>>> ldap_autofs_map_object_class = automountMap
>>>>>>>> ldap_autofs_entry_object_class = automount
>>>>>>>> ldap_autofs_map_name = automountMapName
>>>>>>>> ldap_autofs_entry_key = automountKey
>>>>>>>> ldap_autofs_entry_value = automountInformation
>>>>>>>>
>>>>>>>>
>>>>>>>> Please note that we must canonicalise IP's. We must use a DNS 
>>>>>>>> resolvable
>>>>>>>> name, NOT a series of mumbers. I think.
>>>>>>>>
>>>>>>>> HTH
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> I made an error on :
>>>>>>> ldap_sasl_authid, I forget the $ sign
>>>>>>> ad_hostname, I use the server name instead of workstation's one
>>>>>>>
>>>>>>> But it still not working.
>>>>>>> But I have more information from sssd's log as I use debug_level 
>>>>>>> = 9.
>>>>>>>
>>>>>>> May be an interesting one :
>>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>>>>> appropriate principal from keytab
>>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>>>>> (Thu Dec 19 18:47:56 2013)
>>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>>>> suitable principal found in keytab
>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] 
>>>>>>> [load_backend_module]
>>>>>>> (0x0010): Error (2) in module (ad) initialization 
>>>>>>> (sssm_ad_id_init)!
>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>>>>> (0x0010): fatal error initializing data providers
>>>>>>>
>>>>>>> There's an issue with kerberos.
>>>>>>>
>>>>>>> The keytab have to be local ?
>>>>>>> Or does the system use the server one ?
>>>>>>>
>>>>>>> Cyril
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> If you use samba, then, when you join the machine to the domain, a
>>>>>> keytab should be created '/etc/krb5.keytab' , are you using this 
>>>>>> keytab?
>>>>>
>>>>> No. The OP is using a samba-tool generated keytab
>>>>> at /etc/krb5.sssd.keytab
>>>>>
>>>>> For simplicity, could I suggest using the machine key that was 
>>>>> generated
>>>>> in /etc/krb5.conf when the client joined the domain? Where is this
>>>>> anyway? On a DC or on a client box?
>>>>>
>>>>> If you generated the keytab on the DC then of course it must be
>>>>> transferred to the client using e.g. scp or a usb memory.
>>>>>
>>>>> Steve
>>>>>
>>>>>
>>>>>> If unsure, have a look here:
>>>>>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server 
>>>>>>
>>>>>>
>>>>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup', 
>>>>>> ignore the
>>>>>> bit about about creating a keytab on the windows server.
>>>>>>
>>>>>> Rowland
>>>>>
>>>>>
>>>> I copied the file /etc/krb5.sssd.keytab on the workstation.
>>>>
>>>> I had to reboot the workstation. Restarting the service sssd just 
>>>> hang.
>>>> And I still have the same error :
>>>>
>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
>>>> [sdap_set_sasl_options](0x2000): authid contains realm 
>>>> [SUBDOMAIN.DOMAIN.FR]
>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
>>>> [sdap_set_sasl_options](0x0100): Will look for 
>>>> myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>>>> (Fri Dec 20 09:28:31 2013) 
>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0200): trying 
>>>> to select the most appropriate principal from keytab
>>>> (Fri Dec 20 09:28:31 2013) 
>>>> [sssd[be[default]]][find_principal_in_keytab] (0x0020): 
>>>> krb5_kt_start_seq_get failed.
>>>> (Fri Dec 20 09:28:31 2013) 
>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No 
>>>> suitable principal found in keytab
>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
>>>> [load_backend_module](0x0010): Error (2) in module (ad) 
>>>> initialization (sssm_ad_id_init)!
>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]] 
>>>> [be_process_init](0x0010): fatal error initializing data providers
>>>>
>>>> If I run on the workstation :
>>>> kinit administrator at SUBDOMAIN.DOMAIN.FR
>>>> It ask me the admin password, then I have the warnig message aout 
>>>> expiration.
>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>> It also ask me a password but the admin's one doesn't work.
>>>>
>>>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR 
>>>> first before generating the keytab on the DC ?
>>>>
>>>> Cyril
>>>>
>>>>
>>>>
>>>>
>>> What is actually in your keytab?
>>>
>>> Run ktutil on the client to find out:
>>> sudo ktutil
>>> ktutil:  rkt /etc/krb5.sssd.keytab
>>> ktutil:  l
>>>
>>> and before you ask :
>>>
>>> ktutil:  l  <---- this is a lowercase L
>>>
>>> and then post the result here.
>>>
>>> Rowland
>> Here is the result :
>> ktutil:  rkt /etc/krb5.sssd.keytab
>> ktutil:  l
>> slot KVNO Principal
>> ---- ---- 
>> ---------------------------------------------------------------------
>>    1    1                    myserver$@SUBDOMAIN.DOMAIN.FR
>>    2    1                    myserver$@SUBDOMAIN.DOMAIN.FR
>>    3    1                    myserver$@SUBDOMAIN.DOMAIN.FR
>>
>> Cyril
> Well, that looks ok, but how did you create the keytab? I seem to 
> remember that you copied it across from the server, so who does it 
> belong to and what are the permissions? I have samba running on my 
> client and joined the machine to the domain and /etc/krb5.keytab was 
> created, owned by root:root and rw only for root.
>
> Looking at what you posted, it seems that it cannot find your 
> principal in the default keytab, does this mean that it is looking for 
> /etc/krb5.keytab ?
>
> Rowland
I have create the keytab on the DC with the following command :

# samba-tool domain exportkeytab /etc/krb5.sssd.keytab 
--principal=myserver$
# chown root:root /etc/krb5.sssd.keytab
# chmod 600 /etc/krb5.sssd.keytab

Then, as Steve ask me to do it,  I copied it to the workstation with scp.

In the sssd.conf file, on the workstation, I have the option :
ldap_krb5_keytab = /etc/krb5.sssd.keytab


But Steve also said :
"using the machine key that was generated
in /etc/krb5.conf when the client joined the domain?"

The workstation didn't join the domaine. Is it the issue ?

Cyril








More information about the samba mailing list