[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Cyril Lalinne
cyril.lalinne at 3d-com.fr
Fri Dec 20 03:26:03 MST 2013
Le 20/12/2013 11:21, Rowland Penny a écrit :
> On 20/12/13 10:16, Cyril Lalinne wrote:
>>
>> Le 20/12/2013 11:06, Rowland Penny a écrit :
>>> On 20/12/13 09:53, Cyril Lalinne wrote:
>>>>
>>>> Le 20/12/2013 10:44, Rowland Penny a écrit :
>>>>> On 20/12/13 09:37, Cyril wrote:
>>>>>> Le 19/12/2013 19:16, steve a écrit :
>>>>>>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>>>>>>> On 19/12/13 18:00, Cyril wrote:
>>>>>>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>>>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I think I'm starting to understand how Linux client
>>>>>>>>>>>>>>>>>>>> can be
>>>>>>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Linux clients don't need Samba for authentication,
>>>>>>>>>>>>>>>>>>>> only the
>>>>>>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> So why should I need to install winbind and samba4
>>>>>>>>>>>>>>>>>>>> on the
>>>>>>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # on large directories, you may want to disable
>>>>>>>>>>>>>>>>> enumeration for
>>>>>>>>>>>>>>>>> performance reasons
>>>>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> hosts: files mdns4_minimal dns
>>>>>>>>>>>>>>>>> [NOTFOUND=return] mdns4
>>>>>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>>>>>>> auth [success=1 default=ignore] pam_unix.so
>>>>>>>>>>>>>>>>> nullok_secure
>>>>>>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>>>>>>> # prime the stack with a positive return value if
>>>>>>>>>>>>>>>>> there isn't one
>>>>>>>>>>>>>>>>> already;
>>>>>>>>>>>>>>>>> # this avoids us returning an error just because
>>>>>>>>>>>>>>>>> nothing sets a
>>>>>>>>>>>>>>>>> success code
>>>>>>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>>>>>>> # and here are more per-package modules (the
>>>>>>>>>>>>>>>>> "Additional" block)
>>>>>>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> As Steve says, might as well start with a new
>>>>>>>>>>>>>>>> sssd.conf, here is a
>>>>>>>>>>>>>>>> working (sanitized) version from the laptop I am typing
>>>>>>>>>>>>>>>> on ;-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>> @Rowland
>>>>>>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so I
>>>>>>>>>>>>>> suggested
>>>>>>>>>>>>>> that he
>>>>>>>>>>>>>> used the sssd ppa. I believe that he is now using this
>>>>>>>>>>>>>> ppa and if
>>>>>>>>>>>>>> so, he
>>>>>>>>>>>>>> should be using 1.11.1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Yes that's what I did.
>>>>>>>>>>>>>
>>>>>>>>>>>>> But I think Steve would like to know the version on the
>>>>>>>>>>>>> laptop you're
>>>>>>>>>>>>> curently using.
>>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for confirming that, but you are the 'OP' he
>>>>>>>>>>>> referred to, OP =
>>>>>>>>>>>> original poster
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>> :-)
>>>>>>>>>>>
>>>>>>>>>>> Cyril
>>>>>>>>>>
>>>>>>>>>> OK. Glad we've got that one sorted.
>>>>>>>>>>
>>>>>>>>>> Just for completeness, here's a working 1.11.1 sssd.conf with
>>>>>>>>>> all the ad
>>>>>>>>>> and autofs bits:
>>>>>>>>>> [sssd]
>>>>>>>>>> #debug_level = 9
>>>>>>>>>> services = nss, pam, autofs
>>>>>>>>>> config_file_version = 2
>>>>>>>>>> domains = default
>>>>>>>>>>
>>>>>>>>>> [nss]
>>>>>>>>>>
>>>>>>>>>> [pam]
>>>>>>>>>>
>>>>>>>>>> [autofs]
>>>>>>>>>>
>>>>>>>>>> [domain/default]
>>>>>>>>>> #debug_level = 9
>>>>>>>>>> dyndns_update=true
>>>>>>>>>> #dyndns_refresh_interval = 8
>>>>>>>>>> ad_hostname = catral.hh3.site
>>>>>>>>>> ad_server = hh16.hh3.site
>>>>>>>>>> ad_domain = hh3.site
>>>>>>>>>>
>>>>>>>>>> ldap_schema = ad
>>>>>>>>>> id_provider = ad
>>>>>>>>>> access_provider = ad
>>>>>>>>>> enumerate = false
>>>>>>>>>> cache_credentials = true
>>>>>>>>>> #entry_cache_timeout = 60
>>>>>>>>>> auth_provider = ad
>>>>>>>>>> chpass_provider = ad
>>>>>>>>>> krb5_realm = hh3.site
>>>>>>>>>> krb5_server = hh16.hh3.site
>>>>>>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>>>>>>
>>>>>>>>>> ldap_id_mapping=false
>>>>>>>>>> ldap_referrals = false
>>>>>>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>>>>>>> ldap_search_base = dc=hh3,dc=site
>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>> ldap_user_name = samAccountName
>>>>>>>>>> ldap_user_uid_number = uidNumber
>>>>>>>>>> ldap_user_gid_number = gidNumber
>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>> ldap_user_shell = loginShell
>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>>>>>>> ldap_group_name = cn
>>>>>>>>>> ldap_group_member = member
>>>>>>>>>>
>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>>>>>>> krb5_keytab = /etc/krb5.keytab
>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>
>>>>>>>>>> autofs_provider=ldap
>>>>>>>>>>
>>>>>>>>>> #ldap_autofs_search_base =
>>>>>>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>>>>>>> #ldap_autofs_map_object_class = nisMap
>>>>>>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>>>>>>> #ldap_autofs_map_name = nisMapName
>>>>>>>>>> #ldap_autofs_entry_key = cn
>>>>>>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>>>>>>
>>>>>>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>>>>>>> ldap_autofs_map_object_class = automountMap
>>>>>>>>>> ldap_autofs_entry_object_class = automount
>>>>>>>>>> ldap_autofs_map_name = automountMapName
>>>>>>>>>> ldap_autofs_entry_key = automountKey
>>>>>>>>>> ldap_autofs_entry_value = automountInformation
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Please note that we must canonicalise IP's. We must use a DNS
>>>>>>>>>> resolvable
>>>>>>>>>> name, NOT a series of mumbers. I think.
>>>>>>>>>>
>>>>>>>>>> HTH
>>>>>>>>>> Steve
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I made an error on :
>>>>>>>>> ldap_sasl_authid, I forget the $ sign
>>>>>>>>> ad_hostname, I use the server name instead of workstation's one
>>>>>>>>>
>>>>>>>>> But it still not working.
>>>>>>>>> But I have more information from sssd's log as I use
>>>>>>>>> debug_level = 9.
>>>>>>>>>
>>>>>>>>> May be an interesting one :
>>>>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>>>>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>>>>>>> appropriate principal from keytab
>>>>>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>>>>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get
>>>>>>>>> failed.
>>>>>>>>> (Thu Dec 19 18:47:56 2013)
>>>>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>>>>>> suitable principal found in keytab
>>>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related
>>>>>>>>> options
>>>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>>>>>> [load_backend_module]
>>>>>>>>> (0x0010): Error (2) in module (ad) initialization
>>>>>>>>> (sssm_ad_id_init)!
>>>>>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>>>>>>> (0x0010): fatal error initializing data providers
>>>>>>>>>
>>>>>>>>> There's an issue with kerberos.
>>>>>>>>>
>>>>>>>>> The keytab have to be local ?
>>>>>>>>> Or does the system use the server one ?
>>>>>>>>>
>>>>>>>>> Cyril
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> If you use samba, then, when you join the machine to the domain, a
>>>>>>>> keytab should be created '/etc/krb5.keytab' , are you using
>>>>>>>> this keytab?
>>>>>>>
>>>>>>> No. The OP is using a samba-tool generated keytab
>>>>>>> at /etc/krb5.sssd.keytab
>>>>>>>
>>>>>>> For simplicity, could I suggest using the machine key that was
>>>>>>> generated
>>>>>>> in /etc/krb5.conf when the client joined the domain? Where is this
>>>>>>> anyway? On a DC or on a client box?
>>>>>>>
>>>>>>> If you generated the keytab on the DC then of course it must be
>>>>>>> transferred to the client using e.g. scp or a usb memory.
>>>>>>>
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>>>> If unsure, have a look here:
>>>>>>>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>>>>>>
>>>>>>>>
>>>>>>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup',
>>>>>>>> ignore the
>>>>>>>> bit about about creating a keytab on the windows server.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>> I copied the file /etc/krb5.sssd.keytab on the workstation.
>>>>>>
>>>>>> I had to reboot the workstation. Restarting the service sssd just
>>>>>> hang.
>>>>>> And I still have the same error :
>>>>>>
>>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>>> [sdap_set_sasl_options](0x2000): authid contains realm
>>>>>> [SUBDOMAIN.DOMAIN.FR]
>>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>>> [sdap_set_sasl_options](0x0100): Will look for
>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>>>>>> (Fri Dec 20 09:28:31 2013)
>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0200):
>>>>>> trying to select the most appropriate principal from keytab
>>>>>> (Fri Dec 20 09:28:31 2013)
>>>>>> [sssd[be[default]]][find_principal_in_keytab] (0x0020):
>>>>>> krb5_kt_start_seq_get failed.
>>>>>> (Fri Dec 20 09:28:31 2013)
>>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>>> suitable principal found in keytab
>>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>>> [load_backend_module](0x0010): Error (2) in module (ad)
>>>>>> initialization (sssm_ad_id_init)!
>>>>>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>>>>>> [be_process_init](0x0010): fatal error initializing data providers
>>>>>>
>>>>>> If I run on the workstation :
>>>>>> kinit administrator at SUBDOMAIN.DOMAIN.FR
>>>>>> It ask me the admin password, then I have the warnig message aout
>>>>>> expiration.
>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>
>>>>>> Am-I suppose to create this principal
>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR first before generating the keytab
>>>>>> on the DC ?
>>>>>>
>>>>>> Cyril
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> What is actually in your keytab?
>>>>>
>>>>> Run ktutil on the client to find out:
>>>>> sudo ktutil
>>>>> ktutil: rkt /etc/krb5.sssd.keytab
>>>>> ktutil: l
>>>>>
>>>>> and before you ask :
>>>>>
>>>>> ktutil: l <---- this is a lowercase L
>>>>>
>>>>> and then post the result here.
>>>>>
>>>>> Rowland
>>>> Here is the result :
>>>> ktutil: rkt /etc/krb5.sssd.keytab
>>>> ktutil: l
>>>> slot KVNO Principal
>>>> ---- ----
>>>> ---------------------------------------------------------------------
>>>> 1 1 myserver$@SUBDOMAIN.DOMAIN.FR
>>>> 2 1 myserver$@SUBDOMAIN.DOMAIN.FR
>>>> 3 1 myserver$@SUBDOMAIN.DOMAIN.FR
>>>>
>>>> Cyril
>>> Well, that looks ok, but how did you create the keytab? I seem to
>>> remember that you copied it across from the server, so who does it
>>> belong to and what are the permissions? I have samba running on my
>>> client and joined the machine to the domain and /etc/krb5.keytab was
>>> created, owned by root:root and rw only for root.
>>>
>>> Looking at what you posted, it seems that it cannot find your
>>> principal in the default keytab, does this mean that it is looking
>>> for /etc/krb5.keytab ?
>>>
>>> Rowland
>> I have create the keytab on the DC with the following command :
>>
>> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab
>> --principal=myserver$
>> # chown root:root /etc/krb5.sssd.keytab
>> # chmod 600 /etc/krb5.sssd.keytab
>>
>> Then, as Steve ask me to do it, I copied it to the workstation with
>> scp.
>>
>> In the sssd.conf file, on the workstation, I have the option :
>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>
>>
>> But Steve also said :
>> "using the machine key that was generated
>> in /etc/krb5.conf when the client joined the domain?"
>>
>> The workstation didn't join the domaine. Is it the issue ?
>>
>> Cyril
>>
>>
>>
>>
>>
>>
> What is in your smb.conf and what is the error you get when trying to
> join?
> I do not think that you have to join the domain but it easier if you do.
>
> Rowland
>
I don't have a smb.conf file as I didn't install any samba package on
the workstation.
I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
That's why I'm surprise about the " when the client joined the domain"
Cyril
More information about the samba
mailing list