[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Fri Dec 20 09:34:04 MST 2013

On 20/12/13 16:28, Cyril wrote:
> Le 20/12/2013 17:19, Rowland Penny a écrit :
>> On 20/12/13 16:08, Cyril wrote:
>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>> On 20/12/13 14:00, steve wrote:
>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>
>>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>
>>>>>>> Eh? You don't need a password. You already have the key!
>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>
>>>>>>> Could you post the output of that command?
>>>>>>>
>>>>>> That give me nothing. No error, no warning.
>>>>>> It didn't ask me anypassword
>>>>>>
>>>>> OK. So it worked.
>>>>>>>> Am-I suppose to create this principal 
>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>
>>>>>>> You already have the principal. It was created when you joined the
>>>>>>> machine to the domain.
>>>>>> Ho, you mean joining the myserver machine !
>>>>>>
>>>>> No, I'm sorry. The post crossed. I now know that the machine is not
>>>>> joined to the domain using samba. You do somehow however, have a key
>>>>> for
>>>>> the machine.
>>>>>
>>>>> And, from your other posts, your domain users can now authenticate on
>>>>> the Linux client.
>>>>>
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>>>
>>>> OK, seeing as how it is Christmas, here is how to get libpam-pwquality
>>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>>
>>>> x86:
>>>> wget
>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb 
>>>>
>>>>
>>>>
>>>> wget
>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb 
>>>>
>>>>
>>>>
>>>> wget
>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>
>>>>
>>>>
>>>>
>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>> sudo apt-get install libcrack2
>>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>>
>>>> x86_64:
>>>> wget
>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb 
>>>>
>>>>
>>>>
>>>> wget
>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb 
>>>>
>>>>
>>>>
>>>> wget
>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>
>>>>
>>>>
>>>>
>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>> sudo apt-get install libcrack2
>>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>>
>>>> and there you go!
>>>>
>>>> Rowland
>>>
>>> I already had a try and I have the same error when I use ubuntu 13.10 :
>>>
>>> lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0
>>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>>> (Authentication service cannot retrieve authentication info)
>>> in the auth.log file.
>>>
>>> getent passwd works but not the authtication.
>>>
>>> I suppose there's still something wrong with the sssd.conf file.
>>>
>>> Cyril
>>>
>> OK, do you have libpam-krb5 installed ? on my laptop (running Linux Mint
>> 15) I find this in auth.log:
>>
>> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
>> rowland at HOME.LAN
>>
>> Rowland
>>
> For me, that's mean that you're authenticating to kerberos database. 
> You have a principal rowland in the kerberos base.
> I don't want to use this authentication, because that mean have two 
> databases : OpenLDAP and Kerberos.
>
> I'm trying to authenticate with LDAP informations.
> If I understand well, the kerberos layer is there to crypte 
> communication between sssd and AD (LDAP).
>
> Cyril
>
I do not have any OpenLDAP or Kerberos databases, I am authenticating to 
a Samba4 server, just like you are.

If you do not have libpam-krb5 installed, just try installing it, you 
never know, it just might cure your problems.

Rowland