[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Fri Dec 20 09:28:14 MST 2013


Le 20/12/2013 17:19, Rowland Penny a écrit :
> On 20/12/13 16:08, Cyril wrote:
>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>> On 20/12/13 14:00, steve wrote:
>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>
>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>
>>>>>> Eh? You don't need a password. You already have the key!
>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>
>>>>>> Could you post the output of that command?
>>>>>>
>>>>> That give me nothing. No error, no warning.
>>>>> It didn't ask me anypassword
>>>>>
>>>> OK. So it worked.
>>>>>>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>> first before generating the keytab on the DC ?
>>>>>>>
>>>>>> You already have the principal. It was created when you joined the
>>>>>> machine to the domain.
>>>>> Ho, you mean joining the myserver machine !
>>>>>
>>>> No, I'm sorry. The post crossed. I now know that the machine is not
>>>> joined to the domain using samba. You do somehow however, have a key
>>>> for
>>>> the machine.
>>>>
>>>> And, from your other posts, your domain users can now authenticate on
>>>> the Linux client.
>>>>
>>>> Cheers,
>>>> Steve
>>>>
>>>>
>>> OK, seeing as how it is Christmas, here is how to get libpam-pwquality
>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>
>>> x86:
>>> wget
>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb
>>>
>>>
>>> wget
>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb
>>>
>>>
>>> wget
>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
>>>
>>>
>>>
>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>> sudo apt-get install libcrack2
>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>
>>> x86_64:
>>> wget
>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb
>>>
>>>
>>> wget
>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb
>>>
>>>
>>> wget
>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
>>>
>>>
>>>
>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>> sudo apt-get install libcrack2
>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>
>>> and there you go!
>>>
>>> Rowland
>>
>> I already had a try and I have the same error when I use ubuntu 13.10 :
>>
>> lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0
>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>> (Authentication service cannot retrieve authentication info)
>> in the auth.log file.
>>
>> getent passwd works but not the authtication.
>>
>> I suppose there's still something wrong with the sssd.conf file.
>>
>> Cyril
>>
> OK, do you have libpam-krb5 installed ? on my laptop (running Linux Mint
> 15) I find this in auth.log:
>
> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
> rowland at HOME.LAN
>
> Rowland
>
For me, that's mean that you're authenticating to kerberos database. You 
have a principal rowland in the kerberos base.
I don't want to use this authentication, because that mean have two 
databases : OpenLDAP and Kerberos.

I'm trying to authenticate with LDAP informations.
If I understand well, the kerberos layer is there to crypte 
communication between sssd and AD (LDAP).

Cyril



More information about the samba mailing list