[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Rowland Penny rowlandpenny at googlemail.com
Fri Dec 20 10:21:24 MST 2013


On 20/12/13 16:56, Cyril wrote:
> Le 20/12/2013 17:41, Rowland Penny a écrit :
>> On 20/12/13 16:37, Cyril Lalinne wrote:
>>>
>>> Le 20/12/2013 17:34, Rowland Penny a écrit :
>>>> On 20/12/13 16:28, Cyril wrote:
>>>>> Le 20/12/2013 17:19, Rowland Penny a écrit :
>>>>>> On 20/12/13 16:08, Cyril wrote:
>>>>>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>>>>>> On 20/12/13 14:00, steve wrote:
>>>>>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>>>>>
>>>>>>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>>>>>
>>>>>>>>>>> Eh? You don't need a password. You already have the key!
>>>>>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>>>>>
>>>>>>>>>>> Could you post the output of that command?
>>>>>>>>>>>
>>>>>>>>>> That give me nothing. No error, no warning.
>>>>>>>>>> It didn't ask me anypassword
>>>>>>>>>>
>>>>>>>>> OK. So it worked.
>>>>>>>>>>>> Am-I suppose to create this principal
>>>>>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>>>>>
>>>>>>>>>>> You already have the principal. It was created when you joined
>>>>>>>>>>> the
>>>>>>>>>>> machine to the domain.
>>>>>>>>>> Ho, you mean joining the myserver machine !
>>>>>>>>>>
>>>>>>>>> No, I'm sorry. The post crossed. I now know that the machine 
>>>>>>>>> is not
>>>>>>>>> joined to the domain using samba. You do somehow however, have a
>>>>>>>>> key
>>>>>>>>> for
>>>>>>>>> the machine.
>>>>>>>>>
>>>>>>>>> And, from your other posts, your domain users can now
>>>>>>>>> authenticate on
>>>>>>>>> the Linux client.
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>> OK, seeing as how it is Christmas, here is how to get
>>>>>>>> libpam-pwquality
>>>>>>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>>>>>>
>>>>>>>> x86:
>>>>>>>> wget
>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> wget
>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> wget
>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>>>> sudo apt-get install libcrack2
>>>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>>>>>>
>>>>>>>> x86_64:
>>>>>>>> wget
>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> wget
>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> wget
>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>>>> sudo apt-get install libcrack2
>>>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>>>>>>
>>>>>>>> and there you go!
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> I already had a try and I have the same error when I use ubuntu
>>>>>>> 13.10 :
>>>>>>>
>>>>>>> lightdm: pam_sss(lightdm:auth): authentication failure; logname=
>>>>>>> uid=0
>>>>>>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>>>>>>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>>>>>>> (Authentication service cannot retrieve authentication info)
>>>>>>> in the auth.log file.
>>>>>>>
>>>>>>> getent passwd works but not the authtication.
>>>>>>>
>>>>>>> I suppose there's still something wrong with the sssd.conf file.
>>>>>>>
>>>>>>> Cyril
>>>>>>>
>>>>>> OK, do you have libpam-krb5 installed ? on my laptop (running Linux
>>>>>> Mint
>>>>>> 15) I find this in auth.log:
>>>>>>
>>>>>> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
>>>>>> rowland at HOME.LAN
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> For me, that's mean that you're authenticating to kerberos database.
>>>>> You have a principal rowland in the kerberos base.
>>>>> I don't want to use this authentication, because that mean have two
>>>>> databases : OpenLDAP and Kerberos.
>>>>>
>>>>> I'm trying to authenticate with LDAP informations.
>>>>> If I understand well, the kerberos layer is there to crypte
>>>>> communication between sssd and AD (LDAP).
>>>>>
>>>>> Cyril
>>>>>
>>>> I do not have any OpenLDAP or Kerberos databases, I am authenticating
>>>> to a Samba4 server, just like you are.
>>>>
>>>> If you do not have libpam-krb5 installed, just try installing it, you
>>>> never know, it just might cure your problems.
>>>>
>>>> Rowland
>>>>
>>> OpenLDAP and Kerberos are integrated to Samba4 server.
>>>
>>> And you're right ! I'd rather have a try !!
>>> Back in a sec.
>>>
>>> Cyril
>>>
>>>
>> OK, I will give you that Kerberos is built into Samba4 but openLDAP
>> isn't, Samba4 uses AD, but what I meant was that I wasn't using seperate
>> databases, I was just using the same as you and as far as I could see
>> the only thing you were missing was libpam-krb5
>>
>> Rowland
>>
> Ok ... I tough there were an openLDAP inside.
>
> And that's working better with libpam-krb5.  :-)
>
> Now, at the login screen, I have a message about my password that will 
> expire.
> But I can't open a session
> lightdm: pam_krb5(lightdm:auth): user clalinne authenticated as 
> clalinne at SUBDOMAIN.DOMAIN.FR
> lightdm: gkr-pam: error looking up user information
> lightdm: pam_unix(lightdm:account): could not identify user (from 
> getpwnam(clalinne))
>
> Cyril
>
OK, does the users unix home directory (as set in the users 
unixHomeDirectory attribute) exist on the client that they are trying to 
log into ?

If not add this to the end of /etc/pam.d/common-session:

session required        pam_mkhomedir.so skel=/etc/skel umask=0022

and install libpam-modules and then try again.

Rowland



More information about the samba mailing list