[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
L.P.H. van Belle
belle at bazuin.nl
Mon Dec 23 02:50:54 MST 2013
I dont know if anybody noticed the following
>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>
>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>> group: compat sss
>>>>>>>>>>> shadow: compat
>>>>>>>>>>>
>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>>>>> networks: files
Which can case resolving problems.
>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
change it to :
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: cyril.lalinne at 3d-com.fr
>[mailto:samba-bounces at lists.samba.org] Namens Cyril
>Verzonden: vrijdag 20 december 2013 10:37
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Linux client of the domain - SSSD :
>authenticating via Kerberos
>
>Le 19/12/2013 19:16, steve a écrit :
>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>> On 19/12/13 18:00, Cyril wrote:
>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I think I'm starting to understand how Linux
>client can be
>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Linux clients don't need Samba for
>authentication, only the
>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So why should I need to install winbind and
>samba4 on the
>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>> Hi
>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>
>>>>>>>>>>>> [sssd]
>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>> domains = default
>>>>>>>>>>>>
>>>>>>>>>>>> [nss]
>>>>>>>>>>>>
>>>>>>>>>>>> [pam]
>>>>>>>>>>>>
>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>
>>>>>>>>>>>> # on large directories, you may want to disable
>enumeration for
>>>>>>>>>>>> performance reasons
>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>
>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>
>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>
>>>>>>>>>>>> hosts: files mdns4_minimal dns
>[NOTFOUND=return] mdns4
>>>>>>>>>>>> networks: files
>>>>>>>>>>>>
>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>> services: db files
>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>
>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>> auth [success=1 default=ignore] pam_unix.so
>nullok_secure
>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>> # prime the stack with a positive return value if
>there isn't one
>>>>>>>>>>>> already;
>>>>>>>>>>>> # this avoids us returning an error just because
>nothing sets a
>>>>>>>>>>>> success code
>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>> # and here are more per-package modules (the
>"Additional" block)
>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Cyril
>>>>>>>>>>>>
>>>>>>>>>>> As Steve says, might as well start with a new
>sssd.conf, here is a
>>>>>>>>>>> working (sanitized) version from the laptop I am
>typing on ;-)
>>>>>>>>>>>
>>>>>>>>>>> [sssd]
>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>> domains = default
>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>
>>>>>>>>>>> [nss]
>>>>>>>>>>>
>>>>>>>>>>> [pam]
>>>>>>>>>>>
>>>>>>>>>>> [domain/default]
>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>> enumerate = true
>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>
>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>
>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>
>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>
>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>
>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>> @Rowland
>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>> Steve
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so
>I suggested
>>>>>>>>> that he
>>>>>>>>> used the sssd ppa. I believe that he is now using
>this ppa and if
>>>>>>>>> so, he
>>>>>>>>> should be using 1.11.1
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> Yes that's what I did.
>>>>>>>>
>>>>>>>> But I think Steve would like to know the version on
>the laptop you're
>>>>>>>> curently using.
>>>>>>>>
>>>>>>> Thanks for confirming that, but you are the 'OP' he
>referred to, OP =
>>>>>>> original poster
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> :-)
>>>>>>
>>>>>> Cyril
>>>>>
>>>>> OK. Glad we've got that one sorted.
>>>>>
>>>>> Just for completeness, here's a working 1.11.1 sssd.conf
>with all the ad
>>>>> and autofs bits:
>>>>> [sssd]
>>>>> #debug_level = 9
>>>>> services = nss, pam, autofs
>>>>> config_file_version = 2
>>>>> domains = default
>>>>>
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>> [autofs]
>>>>>
>>>>> [domain/default]
>>>>> #debug_level = 9
>>>>> dyndns_update=true
>>>>> #dyndns_refresh_interval = 8
>>>>> ad_hostname = catral.hh3.site
>>>>> ad_server = hh16.hh3.site
>>>>> ad_domain = hh3.site
>>>>>
>>>>> ldap_schema = ad
>>>>> id_provider = ad
>>>>> access_provider = ad
>>>>> enumerate = false
>>>>> cache_credentials = true
>>>>> #entry_cache_timeout = 60
>>>>> auth_provider = ad
>>>>> chpass_provider = ad
>>>>> krb5_realm = hh3.site
>>>>> krb5_server = hh16.hh3.site
>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>
>>>>> ldap_id_mapping=false
>>>>> ldap_referrals = false
>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>> ldap_search_base = dc=hh3,dc=site
>>>>> ldap_user_object_class = user
>>>>> ldap_user_name = samAccountName
>>>>> ldap_user_uid_number = uidNumber
>>>>> ldap_user_gid_number = gidNumber
>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>> ldap_user_shell = loginShell
>>>>> ldap_group_object_class = group
>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>> ldap_group_name = cn
>>>>> ldap_group_member = member
>>>>>
>>>>> ldap_sasl_mech = gssapi
>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>> krb5_keytab = /etc/krb5.keytab
>>>>> ldap_krb5_init_creds = true
>>>>>
>>>>> autofs_provider=ldap
>>>>>
>>>>> #ldap_autofs_search_base =
>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>> #ldap_autofs_map_object_class = nisMap
>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>> #ldap_autofs_map_name = nisMapName
>>>>> #ldap_autofs_entry_key = cn
>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>
>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>> ldap_autofs_map_object_class = automountMap
>>>>> ldap_autofs_entry_object_class = automount
>>>>> ldap_autofs_map_name = automountMapName
>>>>> ldap_autofs_entry_key = automountKey
>>>>> ldap_autofs_entry_value = automountInformation
>>>>>
>>>>>
>>>>> Please note that we must canonicalise IP's. We must use a
>DNS resolvable
>>>>> name, NOT a series of mumbers. I think.
>>>>>
>>>>> HTH
>>>>> Steve
>>>>>
>>>>>
>>>>
>>>> I made an error on :
>>>> ldap_sasl_authid, I forget the $ sign
>>>> ad_hostname, I use the server name instead of workstation's one
>>>>
>>>> But it still not working.
>>>> But I have more information from sssd's log as I use
>debug_level = 9.
>>>>
>>>> May be an interesting one :
>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>> appropriate principal from keytab
>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>> (Thu Dec 19 18:47:56 2013)
>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>> suitable principal found in keytab
>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>[load_backend_module]
>>>> (0x0010): Error (2) in module (ad) initialization
>(sssm_ad_id_init)!
>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>> (0x0010): fatal error initializing data providers
>>>>
>>>> There's an issue with kerberos.
>>>>
>>>> The keytab have to be local ?
>>>> Or does the system use the server one ?
>>>>
>>>> Cyril
>>>>
>>>>
>>>>
>>>>
>>> If you use samba, then, when you join the machine to the domain, a
>>> keytab should be created '/etc/krb5.keytab' , are you using
>this keytab?
>>
>> No. The OP is using a samba-tool generated keytab
>> at /etc/krb5.sssd.keytab
>>
>> For simplicity, could I suggest using the machine key that
>was generated
>> in /etc/krb5.conf when the client joined the domain? Where is this
>> anyway? On a DC or on a client box?
>>
>> If you generated the keytab on the DC then of course it must be
>> transferred to the client using e.g. scp or a usb memory.
>>
>> Steve
>>
>>
>>> If unsure, have a look here:
>>>
>https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20au
>thenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>
>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server
>Setup', ignore the
>>> bit about about creating a keytab on the windows server.
>>>
>>> Rowland
>>
>>
>I copied the file /etc/krb5.sssd.keytab on the workstation.
>
>I had to reboot the workstation. Restarting the service sssd just hang.
>And I still have the same error :
>
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[sdap_set_sasl_options](0x2000): authid contains realm
>[SUBDOMAIN.DOMAIN.FR]
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[sdap_set_sasl_options](0x0100): Will look for
>myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>(Fri Dec 20 09:28:31 2013)
>[sssd[be[default]]][select_principal_from_keytab] (0x0200): trying to
>select the most appropriate principal from keytab
>(Fri Dec 20 09:28:31 2013)
>[sssd[be[default]]][find_principal_in_keytab]
>(0x0020): krb5_kt_start_seq_get failed.
>(Fri Dec 20 09:28:31 2013)
>[sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>suitable
>principal found in keytab
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[load_backend_module](0x0010): Error (2) in module (ad) initialization
>(sssm_ad_id_init)!
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[be_process_init](0x0010): fatal error initializing data providers
>
>If I run on the workstation :
>kinit administrator at SUBDOMAIN.DOMAIN.FR
>It ask me the admin password, then I have the warnig message aout
>expiration.
>kinit myserver$@SUBDOMAIN.DOMAIN.FR
>It also ask me a password but the admin's one doesn't work.
>
>Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>first before generating the keytab on the DC ?
>
>Cyril
>
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list