[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

steve steve at steve-ss.com
Fri Dec 20 07:11:07 MST 2013


On Fri, 2013-12-20 at 15:00 +0100, Cyril wrote:
> Le 20/12/2013 14:52, steve a écrit :
> > On Fri, 2013-12-20 at 14:37 +0100, Cyril wrote:
> >> Le 20/12/2013 14:29, steve a écrit :
> >>> On Fri, 2013-12-20 at 11:26 +0100, Cyril Lalinne wrote:
> >>>
> >>>> I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
> >>>>
> >>>> That's why I'm surprise about the " when the client joined the domain"
> >>>
> >>>
> >>> Ah, so that's what you want to do. Using samba it's easy. Install enough
> >>> of samba to get the net command. Usually samba-client is enough:
> >>>
> >>> Remove the myserver$ machine account on the DC.
> >>>
> >>> On the client make a token /etc/samba/smb.conf:
> >>>
> >>> workgroup = your.dc.hostname
> >>> realm = SUBDOMAIN.DOMAIN.FR
> >>> security = ADS
> >>> kerberos method = system keytab
> >>>
> >>> Then it's just:
> >>> net ads join -UAdministrator
> >>>
> >>> HTH
> >>> Steve
> >>
> >>
> >> I'm not sure I explain myself very well.
> >>
> >> I want users to be able to logon on workstation (Linux and windows) with
> >> their profile I create in the samba4 domain.
> >> On windows that's already work fine.
> >> I'm dealing with linux worsktation now with native tools
> >>
> >> I'm trying to make it working with sssd and kerberos without samba.
> >>
> >> Cyril
> >>
> >>
> > Yes, OK. As you now have getent passwd working with sssd, so id will
> > also work and that that in turn will enable your users to authenticate
> > against your Samba4 DC.
> >
> 
> It's not working fine with ubuntu 12.04 as I had to use a ppa for sssd 
> and i cannot install libpam-sss due to unresolved dependency.
> So I'm using older libpam-sss but while authenticating, I get the error 
> :pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 
> tty=:1 ruser= rhost= user=NT4Domain/MyUser
> 
> I'll try on Ubuntu 13.10.
> Unless there's a way to install the dependency manually

I'd guess that the pam versions must match the sssd version. Maybe
that's one for the Ubuntu list or the guy who maintains the ppa?

> 
> 
> > Just from curiosity, how are you you sharing the user data on the Linux
> > clients? Do you have the user folder information in AD too?
> >
> > Cheers,
> > Steve
> >
> 
> It's not done, but I plan to use NFS and automount to link users's home 
> directory to a shared folder on the network.
> On Windows workstation, the home folder is linked to a network letter.
> 
> I'm wondering if I can put in the same shared folder home directory and 
> windows profiles ...

Yes, of course. I'd recommend automounted cifs. You then have as near as
damn it:
 Linux workstation == Windows workstation

Good luck,
Steve




More information about the samba mailing list