[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Rowland Penny
rowlandpenny at googlemail.com
Fri Dec 20 03:21:31 MST 2013
On 20/12/13 10:16, Cyril Lalinne wrote:
>
> Le 20/12/2013 11:06, Rowland Penny a écrit :
>> On 20/12/13 09:53, Cyril Lalinne wrote:
>>>
>>> Le 20/12/2013 10:44, Rowland Penny a écrit :
>>>> On 20/12/13 09:37, Cyril wrote:
>>>>> Le 19/12/2013 19:16, steve a écrit :
>>>>>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>>>>>> On 19/12/13 18:00, Cyril wrote:
>>>>>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I think I'm starting to understand how Linux client
>>>>>>>>>>>>>>>>>>> can be
>>>>>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Linux clients don't need Samba for authentication,
>>>>>>>>>>>>>>>>>>> only the
>>>>>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> So why should I need to install winbind and samba4
>>>>>>>>>>>>>>>>>>> on the
>>>>>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # on large directories, you may want to disable
>>>>>>>>>>>>>>>> enumeration for
>>>>>>>>>>>>>>>> performance reasons
>>>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> hosts: files mdns4_minimal dns
>>>>>>>>>>>>>>>> [NOTFOUND=return] mdns4
>>>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>>>>>> auth [success=1 default=ignore] pam_unix.so
>>>>>>>>>>>>>>>> nullok_secure
>>>>>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>>>>>> # prime the stack with a positive return value if there
>>>>>>>>>>>>>>>> isn't one
>>>>>>>>>>>>>>>> already;
>>>>>>>>>>>>>>>> # this avoids us returning an error just because
>>>>>>>>>>>>>>>> nothing sets a
>>>>>>>>>>>>>>>> success code
>>>>>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>>>>>> # and here are more per-package modules (the
>>>>>>>>>>>>>>>> "Additional" block)
>>>>>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As Steve says, might as well start with a new sssd.conf,
>>>>>>>>>>>>>>> here is a
>>>>>>>>>>>>>>> working (sanitized) version from the laptop I am typing
>>>>>>>>>>>>>>> on ;-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>> @Rowland
>>>>>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so I
>>>>>>>>>>>>> suggested
>>>>>>>>>>>>> that he
>>>>>>>>>>>>> used the sssd ppa. I believe that he is now using this ppa
>>>>>>>>>>>>> and if
>>>>>>>>>>>>> so, he
>>>>>>>>>>>>> should be using 1.11.1
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>> Yes that's what I did.
>>>>>>>>>>>>
>>>>>>>>>>>> But I think Steve would like to know the version on the
>>>>>>>>>>>> laptop you're
>>>>>>>>>>>> curently using.
>>>>>>>>>>>>
>>>>>>>>>>> Thanks for confirming that, but you are the 'OP' he referred
>>>>>>>>>>> to, OP =
>>>>>>>>>>> original poster
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>> :-)
>>>>>>>>>>
>>>>>>>>>> Cyril
>>>>>>>>>
>>>>>>>>> OK. Glad we've got that one sorted.
>>>>>>>>>
>>>>>>>>> Just for completeness, here's a working 1.11.1 sssd.conf with
>>>>>>>>> all the ad
>>>>>>>>> and autofs bits:
>>>>>>>>> [sssd]
>>>>>>>>> #debug_level = 9
>>>>>>>>> services = nss, pam, autofs
>>>>>>>>> config_file_version = 2
>>>>>>>>> domains = default
>>>>>>>>>
>>>>>>>>> [nss]
>>>>>>>>>
>>>>>>>>> [pam]
>>>>>>>>>
>>>>>>>>> [autofs]
>>>>>>>>>
>>>>>>>>> [domain/default]
>>>>>>>>> #debug_level = 9
>>>>>>>>> dyndns_update=true
>>>>>>>>> #dyndns_refresh_interval = 8
>>>>>>>>> ad_hostname = catral.hh3.site
>>>>>>>>> ad_server = hh16.hh3.site
>>>>>>>>> ad_domain = hh3.site
>>>>>>>>>
>>>>>>>>> ldap_schema = ad
>>>>>>>>> id_provider = ad
>>>>>>>>> access_provider = ad
>>>>>>>>> enumerate = false
>>>>>>>>> cache_credentials = true
>>>>>>>>> #entry_cache_timeout = 60
>>>>>>>>> auth_provider = ad
>>>>>>>>> chpass_provider = ad
>>>>>>>>> krb5_realm = hh3.site
>>>>>>>>> krb5_server = hh16.hh3.site
>>>>>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>>>>>
>>>>>>>>> ldap_id_mapping=false
>>>>>>>>> ldap_referrals = false
>>>>>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>>>>>> ldap_search_base = dc=hh3,dc=site
>>>>>>>>> ldap_user_object_class = user
>>>>>>>>> ldap_user_name = samAccountName
>>>>>>>>> ldap_user_uid_number = uidNumber
>>>>>>>>> ldap_user_gid_number = gidNumber
>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>> ldap_user_shell = loginShell
>>>>>>>>> ldap_group_object_class = group
>>>>>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>>>>>> ldap_group_name = cn
>>>>>>>>> ldap_group_member = member
>>>>>>>>>
>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>>>>>> krb5_keytab = /etc/krb5.keytab
>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>
>>>>>>>>> autofs_provider=ldap
>>>>>>>>>
>>>>>>>>> #ldap_autofs_search_base =
>>>>>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>>>>>> #ldap_autofs_map_object_class = nisMap
>>>>>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>>>>>> #ldap_autofs_map_name = nisMapName
>>>>>>>>> #ldap_autofs_entry_key = cn
>>>>>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>>>>>
>>>>>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>>>>>> ldap_autofs_map_object_class = automountMap
>>>>>>>>> ldap_autofs_entry_object_class = automount
>>>>>>>>> ldap_autofs_map_name = automountMapName
>>>>>>>>> ldap_autofs_entry_key = automountKey
>>>>>>>>> ldap_autofs_entry_value = automountInformation
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Please note that we must canonicalise IP's. We must use a DNS
>>>>>>>>> resolvable
>>>>>>>>> name, NOT a series of mumbers. I think.
>>>>>>>>>
>>>>>>>>> HTH
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> I made an error on :
>>>>>>>> ldap_sasl_authid, I forget the $ sign
>>>>>>>> ad_hostname, I use the server name instead of workstation's one
>>>>>>>>
>>>>>>>> But it still not working.
>>>>>>>> But I have more information from sssd's log as I use
>>>>>>>> debug_level = 9.
>>>>>>>>
>>>>>>>> May be an interesting one :
>>>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>>>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>>>>>> appropriate principal from keytab
>>>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>>>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>>>>>> (Thu Dec 19 18:47:56 2013)
>>>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>>>>> suitable principal found in keytab
>>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related
>>>>>>>> options
>>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>>>> [load_backend_module]
>>>>>>>> (0x0010): Error (2) in module (ad) initialization
>>>>>>>> (sssm_ad_id_init)!
>>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>>>>>> (0x0010): fatal error initializing data providers
>>>>>>>>
>>>>>>>> There's an issue with kerberos.
>>>>>>>>
>>>>>>>> The keytab have to be local ?
>>>>>>>> Or does the system use the server one ?
>>>>>>>>
>>>>>>>> Cyril
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> If you use samba, then, when you join the machine to the domain, a
>>>>>>> keytab should be created '/etc/krb5.keytab' , are you using this
>>>>>>> keytab?
>>>>>>
>>>>>> No. The OP is using a samba-tool generated keytab
>>>>>> at /etc/krb5.sssd.keytab
>>>>>>
>>>>>> For simplicity, could I suggest using the machine key that was
>>>>>> generated
>>>>>> in /etc/krb5.conf when the client joined the domain? Where is this
>>>>>> anyway? On a DC or on a client box?
>>>>>>
>>>>>> If you generated the keytab on the DC then of course it must be
>>>>>> transferred to the client using e.g. scp or a usb memory.
>>>>>>
>>>>>> Steve
>>>>>>
>>>>>>
>>>>>>> If unsure, have a look here:
>>>>>>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>>>>>
>>>>>>>
>>>>>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup',
>>>>>>> ignore the
>>>>>>> bit about about creating a keytab on the windows server.
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> I copied the file /etc/krb5.sssd.keytab on the workstation.
>>>>>
>>>>> I had to reboot the workstation. Restarting the service sssd just
>>>>> hang.
>>>>> And I still have the same error :
>>>>>
>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>> [sdap_set_sasl_options](0x2000): authid contains realm
>>>>> [SUBDOMAIN.DOMAIN.FR]
>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>> [sdap_set_sasl_options](0x0100): Will look for
>>>>> myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>>>>> (Fri Dec 20 09:28:31 2013)
>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0200): trying
>>>>> to select the most appropriate principal from keytab
>>>>> (Fri Dec 20 09:28:31 2013)
>>>>> [sssd[be[default]]][find_principal_in_keytab] (0x0020):
>>>>> krb5_kt_start_seq_get failed.
>>>>> (Fri Dec 20 09:28:31 2013)
>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>> suitable principal found in keytab
>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>> [load_backend_module](0x0010): Error (2) in module (ad)
>>>>> initialization (sssm_ad_id_init)!
>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>> [be_process_init](0x0010): fatal error initializing data providers
>>>>>
>>>>> If I run on the workstation :
>>>>> kinit administrator at SUBDOMAIN.DOMAIN.FR
>>>>> It ask me the admin password, then I have the warnig message aout
>>>>> expiration.
>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>
>>>>> Am-I suppose to create this principal
>>>>> myserver$@SUBDOMAIN.DOMAIN.FR first before generating the keytab
>>>>> on the DC ?
>>>>>
>>>>> Cyril
>>>>>
>>>>>
>>>>>
>>>>>
>>>> What is actually in your keytab?
>>>>
>>>> Run ktutil on the client to find out:
>>>> sudo ktutil
>>>> ktutil: rkt /etc/krb5.sssd.keytab
>>>> ktutil: l
>>>>
>>>> and before you ask :
>>>>
>>>> ktutil: l <---- this is a lowercase L
>>>>
>>>> and then post the result here.
>>>>
>>>> Rowland
>>> Here is the result :
>>> ktutil: rkt /etc/krb5.sssd.keytab
>>> ktutil: l
>>> slot KVNO Principal
>>> ---- ----
>>> ---------------------------------------------------------------------
>>> 1 1 myserver$@SUBDOMAIN.DOMAIN.FR
>>> 2 1 myserver$@SUBDOMAIN.DOMAIN.FR
>>> 3 1 myserver$@SUBDOMAIN.DOMAIN.FR
>>>
>>> Cyril
>> Well, that looks ok, but how did you create the keytab? I seem to
>> remember that you copied it across from the server, so who does it
>> belong to and what are the permissions? I have samba running on my
>> client and joined the machine to the domain and /etc/krb5.keytab was
>> created, owned by root:root and rw only for root.
>>
>> Looking at what you posted, it seems that it cannot find your
>> principal in the default keytab, does this mean that it is looking
>> for /etc/krb5.keytab ?
>>
>> Rowland
> I have create the keytab on the DC with the following command :
>
> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab
> --principal=myserver$
> # chown root:root /etc/krb5.sssd.keytab
> # chmod 600 /etc/krb5.sssd.keytab
>
> Then, as Steve ask me to do it, I copied it to the workstation with scp.
>
> In the sssd.conf file, on the workstation, I have the option :
> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>
>
> But Steve also said :
> "using the machine key that was generated
> in /etc/krb5.conf when the client joined the domain?"
>
> The workstation didn't join the domaine. Is it the issue ?
>
> Cyril
>
>
>
>
>
>
What is in your smb.conf and what is the error you get when trying to join?
I do not think that you have to join the domain but it easier if you do.
Rowland
More information about the samba
mailing list