[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Cyril
cyril.lalinne at 3d-com.fr
Fri Dec 20 07:28:56 MST 2013
Le 20/12/2013 15:05, steve a écrit :
> On Fri, 2013-12-20 at 14:48 +0100, Cyril wrote:
>>>
>>> I'll do some more testing. Re-try on a fresh install
>>> And I'll do a summary.
>>>
>>>
>>> Cyril
>>>
>>
>> I still have issue :
>>
>> When installing libpam-sss,
>> there's a dependency libpam-pwquality (>= 1.2.2-1)
>> But I can't find it in ubuntu 12.04.
>>
>> So I deactivate the ppa for ssd
>>
>> And I install an older version of libnss-sss.
>>
>> Now If I try to open a session on the workstation :
>>
>> with "NT4Domain/MyUser"
>> Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=NT4Domain/MyUser
>> Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): received for
>> user NT4Domain/MyUser: 10 (User not known to the underlying
>> authentication module)
>>
>> with "Myuser"
>> Dec 20 14:07:55 cyril-VB lightdm: pam_succeed_if(lightdm:auth):
>> requirement "user ingroup nopasswdlogin" not met by user "Myuser"
>> Dec 20 14:07:59 cyril-VB lightdm: pam_unix(lightdm:auth): authentication
>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
>> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
>> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): received for
>> user Myuser: 9 (Authentication service cannot retrieve authentication info)
>>
>> "Myuser" is an existing user on the domain and It does have Unix
>> attribut (UID and GID)
>>
>> Is there any way to install libpam-pwquality manually or from any ppa ?
>> and then use the newer libnss-sss ?
>>
>>
>> Cyril
>>
>
> Yep, OK. As I predicted, pam is the next issue.
>
> It looks like you have a different /etc/pam.d/common-auth to the one you
> originally posted. Can you post the latest version?
>
> I'm not sure if
> pam-auth-update
> is new enough to include sssd yet, but cold you give it a go anyway?
> Steve
>
>
Here is the common-auth after a pam-auth-update
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
Cyril
More information about the samba
mailing list