[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril cyril.lalinne at 3d-com.fr
Fri Dec 20 09:56:49 MST 2013


Le 20/12/2013 17:41, Rowland Penny a écrit :
> On 20/12/13 16:37, Cyril Lalinne wrote:
>>
>> Le 20/12/2013 17:34, Rowland Penny a écrit :
>>> On 20/12/13 16:28, Cyril wrote:
>>>> Le 20/12/2013 17:19, Rowland Penny a écrit :
>>>>> On 20/12/13 16:08, Cyril wrote:
>>>>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>>>>> On 20/12/13 14:00, steve wrote:
>>>>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>>>>
>>>>>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>>>>
>>>>>>>>>> Eh? You don't need a password. You already have the key!
>>>>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>>>>
>>>>>>>>>> Could you post the output of that command?
>>>>>>>>>>
>>>>>>>>> That give me nothing. No error, no warning.
>>>>>>>>> It didn't ask me anypassword
>>>>>>>>>
>>>>>>>> OK. So it worked.
>>>>>>>>>>> Am-I suppose to create this principal
>>>>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>>>>
>>>>>>>>>> You already have the principal. It was created when you joined
>>>>>>>>>> the
>>>>>>>>>> machine to the domain.
>>>>>>>>> Ho, you mean joining the myserver machine !
>>>>>>>>>
>>>>>>>> No, I'm sorry. The post crossed. I now know that the machine is not
>>>>>>>> joined to the domain using samba. You do somehow however, have a
>>>>>>>> key
>>>>>>>> for
>>>>>>>> the machine.
>>>>>>>>
>>>>>>>> And, from your other posts, your domain users can now
>>>>>>>> authenticate on
>>>>>>>> the Linux client.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>> OK, seeing as how it is Christmas, here is how to get
>>>>>>> libpam-pwquality
>>>>>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>>>>>
>>>>>>> x86:
>>>>>>> wget
>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> wget
>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> wget
>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>>> sudo apt-get install libcrack2
>>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>>>>>
>>>>>>> x86_64:
>>>>>>> wget
>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> wget
>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> wget
>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>>> sudo apt-get install libcrack2
>>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>>>>>
>>>>>>> and there you go!
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> I already had a try and I have the same error when I use ubuntu
>>>>>> 13.10 :
>>>>>>
>>>>>> lightdm: pam_sss(lightdm:auth): authentication failure; logname=
>>>>>> uid=0
>>>>>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>>>>>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>>>>>> (Authentication service cannot retrieve authentication info)
>>>>>> in the auth.log file.
>>>>>>
>>>>>> getent passwd works but not the authtication.
>>>>>>
>>>>>> I suppose there's still something wrong with the sssd.conf file.
>>>>>>
>>>>>> Cyril
>>>>>>
>>>>> OK, do you have libpam-krb5 installed ? on my laptop (running Linux
>>>>> Mint
>>>>> 15) I find this in auth.log:
>>>>>
>>>>> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
>>>>> rowland at HOME.LAN
>>>>>
>>>>> Rowland
>>>>>
>>>> For me, that's mean that you're authenticating to kerberos database.
>>>> You have a principal rowland in the kerberos base.
>>>> I don't want to use this authentication, because that mean have two
>>>> databases : OpenLDAP and Kerberos.
>>>>
>>>> I'm trying to authenticate with LDAP informations.
>>>> If I understand well, the kerberos layer is there to crypte
>>>> communication between sssd and AD (LDAP).
>>>>
>>>> Cyril
>>>>
>>> I do not have any OpenLDAP or Kerberos databases, I am authenticating
>>> to a Samba4 server, just like you are.
>>>
>>> If you do not have libpam-krb5 installed, just try installing it, you
>>> never know, it just might cure your problems.
>>>
>>> Rowland
>>>
>> OpenLDAP and Kerberos are integrated to Samba4 server.
>>
>> And you're right ! I'd rather have a try !!
>> Back in a sec.
>>
>> Cyril
>>
>>
> OK, I will give you that Kerberos is built into Samba4 but openLDAP
> isn't, Samba4 uses AD, but what I meant was that I wasn't using seperate
> databases, I was just using the same as you and as far as I could see
> the only thing you were missing was libpam-krb5
>
> Rowland
>
Ok ... I tough there were an openLDAP inside.

And that's working better with libpam-krb5.  :-)

Now, at the login screen, I have a message about my password that will 
expire.
But I can't open a session
lightdm: pam_krb5(lightdm:auth): user clalinne authenticated as 
clalinne at SUBDOMAIN.DOMAIN.FR
lightdm: gkr-pam: error looking up user information
lightdm: pam_unix(lightdm:account): could not identify user (from 
getpwnam(clalinne))

Cyril



More information about the samba mailing list