[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Fri Dec 20 07:24:16 MST 2013

Le 20/12/2013 15:11, steve a écrit :
> On Fri, 2013-12-20 at 15:00 +0100, Cyril wrote:
>> Le 20/12/2013 14:52, steve a écrit :
>>> On Fri, 2013-12-20 at 14:37 +0100, Cyril wrote:
>>>> Le 20/12/2013 14:29, steve a écrit :
>>>>> On Fri, 2013-12-20 at 11:26 +0100, Cyril Lalinne wrote:
>>>>>
>>>>>> I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
>>>>>>
>>>>>> That's why I'm surprise about the " when the client joined the domain"
>>>>>
>>>>>
>>>>> Ah, so that's what you want to do. Using samba it's easy. Install enough
>>>>> of samba to get the net command. Usually samba-client is enough:
>>>>>
>>>>> Remove the myserver$ machine account on the DC.
>>>>>
>>>>> On the client make a token /etc/samba/smb.conf:
>>>>>
>>>>> workgroup = your.dc.hostname
>>>>> realm = SUBDOMAIN.DOMAIN.FR
>>>>> security = ADS
>>>>> kerberos method = system keytab
>>>>>
>>>>> Then it's just:
>>>>> net ads join -UAdministrator
>>>>>
>>>>> HTH
>>>>> Steve
>>>>
>>>>
>>>> I'm not sure I explain myself very well.
>>>>
>>>> I want users to be able to logon on workstation (Linux and windows) with
>>>> their profile I create in the samba4 domain.
>>>> On windows that's already work fine.
>>>> I'm dealing with linux worsktation now with native tools
>>>>
>>>> I'm trying to make it working with sssd and kerberos without samba.
>>>>
>>>> Cyril
>>>>
>>>>
>>> Yes, OK. As you now have getent passwd working with sssd, so id will
>>> also work and that that in turn will enable your users to authenticate
>>> against your Samba4 DC.
>>>
>>
>> It's not working fine with ubuntu 12.04 as I had to use a ppa for sssd
>> and i cannot install libpam-sss due to unresolved dependency.
>> So I'm using older libpam-sss but while authenticating, I get the error
>> :pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0
>> tty=:1 ruser= rhost= user=NT4Domain/MyUser
>>
>> I'll try on Ubuntu 13.10.
>> Unless there's a way to install the dependency manually
>
> I'd guess that the pam versions must match the sssd version. Maybe
> that's one for the Ubuntu list or the guy who maintains the ppa?
>
>>
>>
>>> Just from curiosity, how are you you sharing the user data on the Linux
>>> clients? Do you have the user folder information in AD too?
>>>
>>> Cheers,
>>> Steve
>>>
>>
>> It's not done, but I plan to use NFS and automount to link users's home
>> directory to a shared folder on the network.
>> On Windows workstation, the home folder is linked to a network letter.
>>
>> I'm wondering if I can put in the same shared folder home directory and
>> windows profiles ...
>
> Yes, of course. I'd recommend automounted cifs. You then have as near as
> damn it:
>   Linux workstation == Windows workstation
>
> Good luck,
> Steve
>
>
Ok thanks
Cyril