[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Fri Dec 20 09:41:13 MST 2013

On 20/12/13 16:37, Cyril Lalinne wrote:
>
> Le 20/12/2013 17:34, Rowland Penny a écrit :
>> On 20/12/13 16:28, Cyril wrote:
>>> Le 20/12/2013 17:19, Rowland Penny a écrit :
>>>> On 20/12/13 16:08, Cyril wrote:
>>>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>>>> On 20/12/13 14:00, steve wrote:
>>>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>>>
>>>>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>>>
>>>>>>>>> Eh? You don't need a password. You already have the key!
>>>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>>>
>>>>>>>>> Could you post the output of that command?
>>>>>>>>>
>>>>>>>> That give me nothing. No error, no warning.
>>>>>>>> It didn't ask me anypassword
>>>>>>>>
>>>>>>> OK. So it worked.
>>>>>>>>>> Am-I suppose to create this principal 
>>>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>>>
>>>>>>>>> You already have the principal. It was created when you joined 
>>>>>>>>> the
>>>>>>>>> machine to the domain.
>>>>>>>> Ho, you mean joining the myserver machine !
>>>>>>>>
>>>>>>> No, I'm sorry. The post crossed. I now know that the machine is not
>>>>>>> joined to the domain using samba. You do somehow however, have a 
>>>>>>> key
>>>>>>> for
>>>>>>> the machine.
>>>>>>>
>>>>>>> And, from your other posts, your domain users can now 
>>>>>>> authenticate on
>>>>>>> the Linux client.
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>> OK, seeing as how it is Christmas, here is how to get 
>>>>>> libpam-pwquality
>>>>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>>>>
>>>>>> x86:
>>>>>> wget
>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb 
>>>>>>
>>>>>>
>>>>>>
>>>>>> wget
>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb 
>>>>>>
>>>>>>
>>>>>>
>>>>>> wget
>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>> sudo apt-get install libcrack2
>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>>>>
>>>>>> x86_64:
>>>>>> wget
>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb 
>>>>>>
>>>>>>
>>>>>>
>>>>>> wget
>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb 
>>>>>>
>>>>>>
>>>>>>
>>>>>> wget
>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>> sudo apt-get install libcrack2
>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>>>>
>>>>>> and there you go!
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> I already had a try and I have the same error when I use ubuntu 
>>>>> 13.10 :
>>>>>
>>>>> lightdm: pam_sss(lightdm:auth): authentication failure; logname= 
>>>>> uid=0
>>>>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>>>>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>>>>> (Authentication service cannot retrieve authentication info)
>>>>> in the auth.log file.
>>>>>
>>>>> getent passwd works but not the authtication.
>>>>>
>>>>> I suppose there's still something wrong with the sssd.conf file.
>>>>>
>>>>> Cyril
>>>>>
>>>> OK, do you have libpam-krb5 installed ? on my laptop (running Linux 
>>>> Mint
>>>> 15) I find this in auth.log:
>>>>
>>>> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
>>>> rowland at HOME.LAN
>>>>
>>>> Rowland
>>>>
>>> For me, that's mean that you're authenticating to kerberos database. 
>>> You have a principal rowland in the kerberos base.
>>> I don't want to use this authentication, because that mean have two 
>>> databases : OpenLDAP and Kerberos.
>>>
>>> I'm trying to authenticate with LDAP informations.
>>> If I understand well, the kerberos layer is there to crypte 
>>> communication between sssd and AD (LDAP).
>>>
>>> Cyril
>>>
>> I do not have any OpenLDAP or Kerberos databases, I am authenticating 
>> to a Samba4 server, just like you are.
>>
>> If you do not have libpam-krb5 installed, just try installing it, you 
>> never know, it just might cure your problems.
>>
>> Rowland
>>
> OpenLDAP and Kerberos are integrated to Samba4 server.
>
> And you're right ! I'd rather have a try !!
> Back in a sec.
>
> Cyril
>
>
OK, I will give you that Kerberos is built into Samba4 but openLDAP 
isn't, Samba4 uses AD, but what I meant was that I wasn't using seperate 
databases, I was just using the same as you and as far as I could see 
the only thing you were missing was libpam-krb5

Rowland