[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Fri Dec 20 09:00:34 MST 2013 

Le 20/12/2013 16:18, steve a écrit :
> On Fri, 2013-12-20 at 15:28 +0100, Cyril wrote:
>> Le 20/12/2013 15:05, steve a écrit :
>>> On Fri, 2013-12-20 at 14:48 +0100, Cyril wrote:
>>>>>
>>>>> I'll do some more testing. Re-try on a fresh install
>>>>> And I'll do a summary.
>>>>>
>>>>>
>>>>> Cyril
>>>>>
>>>>
>>>> I still have issue :
>>>>
>>>> When installing libpam-sss,
>>>> there's a dependency libpam-pwquality (>= 1.2.2-1)
>>>> But I can't find it in ubuntu 12.04.
>>>>
>>>> So I deactivate the ppa for ssd
>>>>
>>>> And I install an older version of libnss-sss.
>>>>
>>>> Now If I try to open a session on the workstation :
>>>>
>>>> with "NT4Domain/MyUser"
>>>> Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
>>>> failure; logname= uid=0 euid=0  tty=:1 ruser= rhost= user=NT4Domain/MyUser
>>>> Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): received for
>>>> user NT4Domain/MyUser: 10 (User not known to the underlying
>>>> authentication module)
>>>>
>>>> with "Myuser"
>>>> Dec 20 14:07:55 cyril-VB lightdm: pam_succeed_if(lightdm:auth):
>>>> requirement "user ingroup nopasswdlogin" not met by user "Myuser"
>>>> Dec 20 14:07:59 cyril-VB lightdm: pam_unix(lightdm:auth): authentication
>>>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost=  user=Myuser
>>>> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
>>>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
>>>> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): received for
>>>> user Myuser: 9 (Authentication service cannot retrieve authentication info)
>>>>
>>>> "Myuser" is an existing user on the domain and It does have Unix
>>>> attribut (UID and GID)
>>>>
>>>> Is there any way to install libpam-pwquality manually or from any ppa ?
>>>> and then use the newer libnss-sss ?
>>>>
>>>>
>>>> Cyril
>>>>
>>>
>>> Yep, OK. As I predicted, pam is the next issue.
>>>
>>> It looks like you have a different /etc/pam.d/common-auth to the one you
>>> originally posted. Can you post the latest version?
>>>
>>> I'm not sure if
>>> pam-auth-update
>>> is new enough to include sssd yet, but cold you give it a go anyway?
>>> Steve
>>>
>>>
>> Here is the common-auth after a pam-auth-update
>>
>> # here are the per-package modules (the "Primary" block)
>> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
>> auth    [success=1 default=ignore]      pam_sss.so use_first_pass
>> # here's the fallback if no module succeeds
>> auth    requisite                       pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success code
>> # since the modules above will each just jump around
>> auth    required                        pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> auth    optional                        pam_cap.so
>> # end of pam-auth-update config
>>
>> Cyril
>>
>>
>>
> Mmm. Looks complex. On an openSUSE client, we have simply:
>
> auth    required        pam_env.so
> auth    sufficient      pam_unix.so     try_first_pass
> auth    required        pam_sss.so      use_first_pass
>
> I know Ubuntu like to do it a la Debian so maybe not take too much
> notice of that, and anyway, you need a pam_sss.so which is sssd version
> friendly first. We'll also need to look at session. Meanwhile, good luck
> with the build.
> Steve
>
>
I had a try with ubuntu 13.10 to get newer version of sssd and pam ...

I have the same issue.
I can do getent passwd and see domain users, but authentication at login 
doesn't work.
I think there's still something wrong with my sssd.conf.

Here is the summary of what I done :


DC is CentOS 6.4
With SAMBA4 and a dhcp installed
DC Hostname : myserver
Realm et DNS domain name : subdomain.domain.fr
NT4 domain name : subdomain
IP : 192.168.1.7

Workstation is
Ubuntu 12.04 64Bit LTS
DHCP

I install :
sudo apt-get install sssd sssd-tools krb5-user libnss-sss libpam-sss

If ask, configure the realm in Uppercase
exemple : SUBDOMAIN.DOMAIN.FR

and check it /etc/krb5.conf

copy / create sssd.conf

Update /etc/hosts and /etc/hostname so it contain the FQDN

copy keytab from server

sudo scp root at myserver:/etc/krb5.sssd.keytab /etc/krb5.sssd.keytab

Update PAM :

sudo pam-auth-update

start sssd

Allow manuel login in LightDM
/etc/lightdm/lightdm.conf
or /etc/lightdm/lightdm.conf.d/10-ubuntu.conf
Append :
greeter-show-manual-login=true

I can see the workstation in the DNS zone
but not in the list of computer of the domain

Reboot and ..

Still not working :

lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 
euid=0 tty=:1 ruser= rhost=  user=Myuser
lightdm: pam_sss(lightdm:auth): received for user Myuser: 9 
(Authentication service cannot retrieve authentication info)
in the auth.log file.


Cyril

More information about the samba mailing list