[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

steve steve at steve-ss.com
Fri Dec 20 08:18:22 MST 2013


On Fri, 2013-12-20 at 15:28 +0100, Cyril wrote:
> Le 20/12/2013 15:05, steve a écrit :
> > On Fri, 2013-12-20 at 14:48 +0100, Cyril wrote:
> >>>
> >>> I'll do some more testing. Re-try on a fresh install
> >>> And I'll do a summary.
> >>>
> >>>
> >>> Cyril
> >>>
> >>
> >> I still have issue :
> >>
> >> When installing libpam-sss,
> >> there's a dependency libpam-pwquality (>= 1.2.2-1)
> >> But I can't find it in ubuntu 12.04.
> >>
> >> So I deactivate the ppa for ssd
> >>
> >> And I install an older version of libnss-sss.
> >>
> >> Now If I try to open a session on the workstation :
> >>
> >> with "NT4Domain/MyUser"
> >> Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
> >> failure; logname= uid=0 euid=0  tty=:1 ruser= rhost= user=NT4Domain/MyUser
> >> Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): received for
> >> user NT4Domain/MyUser: 10 (User not known to the underlying
> >> authentication module)
> >>
> >> with "Myuser"
> >> Dec 20 14:07:55 cyril-VB lightdm: pam_succeed_if(lightdm:auth):
> >> requirement "user ingroup nopasswdlogin" not met by user "Myuser"
> >> Dec 20 14:07:59 cyril-VB lightdm: pam_unix(lightdm:auth): authentication
> >> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=Myuser
> >> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
> >> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
> >> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): received for
> >> user Myuser: 9 (Authentication service cannot retrieve authentication info)
> >>
> >> "Myuser" is an existing user on the domain and It does have Unix
> >> attribut (UID and GID)
> >>
> >> Is there any way to install libpam-pwquality manually or from any ppa ?
> >> and then use the newer libnss-sss ?
> >>
> >>
> >> Cyril
> >>
> >
> > Yep, OK. As I predicted, pam is the next issue.
> >
> > It looks like you have a different /etc/pam.d/common-auth to the one you
> > originally posted. Can you post the latest version?
> >
> > I'm not sure if
> > pam-auth-update
> > is new enough to include sssd yet, but cold you give it a go anyway?
> > Steve
> >
> >
> Here is the common-auth after a pam-auth-update
> 
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
> auth    [success=1 default=ignore]      pam_sss.so use_first_pass
> # here's the fallback if no module succeeds
> auth    requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> auth    required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> auth    optional                        pam_cap.so
> # end of pam-auth-update config
> 
> Cyril
> 
> 
> 
Mmm. Looks complex. On an openSUSE client, we have simply:

auth    required        pam_env.so
auth    sufficient      pam_unix.so     try_first_pass 
auth    required        pam_sss.so      use_first_pass

I know Ubuntu like to do it a la Debian so maybe not take too much
notice of that, and anyway, you need a pam_sss.so which is sssd version
friendly first. We'll also need to look at session. Meanwhile, good luck
with the build.
Steve




More information about the samba mailing list