[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Cyril Lalinne cyril.lalinne at 3d-com.fr
Fri Dec 20 09:37:26 MST 2013


Le 20/12/2013 17:34, Rowland Penny a écrit :
> On 20/12/13 16:28, Cyril wrote:
>> Le 20/12/2013 17:19, Rowland Penny a écrit :
>>> On 20/12/13 16:08, Cyril wrote:
>>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>>> On 20/12/13 14:00, steve wrote:
>>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>>
>>>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>>
>>>>>>>> Eh? You don't need a password. You already have the key!
>>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>>
>>>>>>>> Could you post the output of that command?
>>>>>>>>
>>>>>>> That give me nothing. No error, no warning.
>>>>>>> It didn't ask me anypassword
>>>>>>>
>>>>>> OK. So it worked.
>>>>>>>>> Am-I suppose to create this principal 
>>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>>
>>>>>>>> You already have the principal. It was created when you joined the
>>>>>>>> machine to the domain.
>>>>>>> Ho, you mean joining the myserver machine !
>>>>>>>
>>>>>> No, I'm sorry. The post crossed. I now know that the machine is not
>>>>>> joined to the domain using samba. You do somehow however, have a key
>>>>>> for
>>>>>> the machine.
>>>>>>
>>>>>> And, from your other posts, your domain users can now 
>>>>>> authenticate on
>>>>>> the Linux client.
>>>>>>
>>>>>> Cheers,
>>>>>> Steve
>>>>>>
>>>>>>
>>>>> OK, seeing as how it is Christmas, here is how to get 
>>>>> libpam-pwquality
>>>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>>>
>>>>> x86:
>>>>> wget
>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb 
>>>>>
>>>>>
>>>>>
>>>>> wget
>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb 
>>>>>
>>>>>
>>>>>
>>>>> wget
>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>> sudo apt-get install libcrack2
>>>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>>>
>>>>> x86_64:
>>>>> wget
>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb 
>>>>>
>>>>>
>>>>>
>>>>> wget
>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb 
>>>>>
>>>>>
>>>>>
>>>>> wget
>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>> sudo apt-get install libcrack2
>>>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>>>
>>>>> and there you go!
>>>>>
>>>>> Rowland
>>>>
>>>> I already had a try and I have the same error when I use ubuntu 
>>>> 13.10 :
>>>>
>>>> lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0
>>>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>>>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>>>> (Authentication service cannot retrieve authentication info)
>>>> in the auth.log file.
>>>>
>>>> getent passwd works but not the authtication.
>>>>
>>>> I suppose there's still something wrong with the sssd.conf file.
>>>>
>>>> Cyril
>>>>
>>> OK, do you have libpam-krb5 installed ? on my laptop (running Linux 
>>> Mint
>>> 15) I find this in auth.log:
>>>
>>> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
>>> rowland at HOME.LAN
>>>
>>> Rowland
>>>
>> For me, that's mean that you're authenticating to kerberos database. 
>> You have a principal rowland in the kerberos base.
>> I don't want to use this authentication, because that mean have two 
>> databases : OpenLDAP and Kerberos.
>>
>> I'm trying to authenticate with LDAP informations.
>> If I understand well, the kerberos layer is there to crypte 
>> communication between sssd and AD (LDAP).
>>
>> Cyril
>>
> I do not have any OpenLDAP or Kerberos databases, I am authenticating 
> to a Samba4 server, just like you are.
>
> If you do not have libpam-krb5 installed, just try installing it, you 
> never know, it just might cure your problems.
>
> Rowland
>
OpenLDAP and Kerberos are integrated to Samba4 server.

And you're right ! I'd rather have a try !!
Back in a sec.

Cyril




More information about the samba mailing list