[Samba] Linux client of the domain - SSSD : authenticating via Kerberos

Mon Dec 23 06:05:09 MST 2013

Le 20/12/2013 18:21, Rowland Penny a écrit :
> On 20/12/13 16:56, Cyril wrote:
>> Le 20/12/2013 17:41, Rowland Penny a écrit :
>>> On 20/12/13 16:37, Cyril Lalinne wrote:
>>>>
>>>> Le 20/12/2013 17:34, Rowland Penny a écrit :
>>>>> On 20/12/13 16:28, Cyril wrote:
>>>>>> Le 20/12/2013 17:19, Rowland Penny a écrit :
>>>>>>> On 20/12/13 16:08, Cyril wrote:
>>>>>>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>>>>>>> On 20/12/13 14:00, steve wrote:
>>>>>>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>>>>>>
>>>>>>>>>>>> Eh? You don't need a password. You already have the key!
>>>>>>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>>>>>>
>>>>>>>>>>>> Could you post the output of that command?
>>>>>>>>>>>>
>>>>>>>>>>> That give me nothing. No error, no warning.
>>>>>>>>>>> It didn't ask me anypassword
>>>>>>>>>>>
>>>>>>>>>> OK. So it worked.
>>>>>>>>>>>>> Am-I suppose to create this principal
>>>>>>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>>>>>>
>>>>>>>>>>>> You already have the principal. It was created when you joined
>>>>>>>>>>>> the
>>>>>>>>>>>> machine to the domain.
>>>>>>>>>>> Ho, you mean joining the myserver machine !
>>>>>>>>>>>
>>>>>>>>>> No, I'm sorry. The post crossed. I now know that the machine
>>>>>>>>>> is not
>>>>>>>>>> joined to the domain using samba. You do somehow however, have a
>>>>>>>>>> key
>>>>>>>>>> for
>>>>>>>>>> the machine.
>>>>>>>>>>
>>>>>>>>>> And, from your other posts, your domain users can now
>>>>>>>>>> authenticate on
>>>>>>>>>> the Linux client.
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Steve
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> OK, seeing as how it is Christmas, here is how to get
>>>>>>>>> libpam-pwquality
>>>>>>>>> on Ubuntu precise, using the packages from Saucy ;-)
>>>>>>>>>
>>>>>>>>> x86:
>>>>>>>>> wget
>>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> wget
>>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> wget
>>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>>>>> sudo apt-get install libcrack2
>>>>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
>>>>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
>>>>>>>>>
>>>>>>>>> x86_64:
>>>>>>>>> wget
>>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> wget
>>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> wget
>>>>>>>>> http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
>>>>>>>>> sudo apt-get install libcrack2
>>>>>>>>> sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
>>>>>>>>> sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
>>>>>>>>>
>>>>>>>>> and there you go!
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> I already had a try and I have the same error when I use ubuntu
>>>>>>>> 13.10 :
>>>>>>>>
>>>>>>>> lightdm: pam_sss(lightdm:auth): authentication failure; logname=
>>>>>>>> uid=0
>>>>>>>> euid=0 tty=:1 ruser= rhost=  user=Myuser
>>>>>>>> lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
>>>>>>>> (Authentication service cannot retrieve authentication info)
>>>>>>>> in the auth.log file.
>>>>>>>>
>>>>>>>> getent passwd works but not the authtication.
>>>>>>>>
>>>>>>>> I suppose there's still something wrong with the sssd.conf file.
>>>>>>>>
>>>>>>>> Cyril
>>>>>>>>
>>>>>>> OK, do you have libpam-krb5 installed ? on my laptop (running Linux
>>>>>>> Mint
>>>>>>> 15) I find this in auth.log:
>>>>>>>
>>>>>>> mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
>>>>>>> rowland at HOME.LAN
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> For me, that's mean that you're authenticating to kerberos database.
>>>>>> You have a principal rowland in the kerberos base.
>>>>>> I don't want to use this authentication, because that mean have two
>>>>>> databases : OpenLDAP and Kerberos.
>>>>>>
>>>>>> I'm trying to authenticate with LDAP informations.
>>>>>> If I understand well, the kerberos layer is there to crypte
>>>>>> communication between sssd and AD (LDAP).
>>>>>>
>>>>>> Cyril
>>>>>>
>>>>> I do not have any OpenLDAP or Kerberos databases, I am authenticating
>>>>> to a Samba4 server, just like you are.
>>>>>
>>>>> If you do not have libpam-krb5 installed, just try installing it, you
>>>>> never know, it just might cure your problems.
>>>>>
>>>>> Rowland
>>>>>
>>>> OpenLDAP and Kerberos are integrated to Samba4 server.
>>>>
>>>> And you're right ! I'd rather have a try !!
>>>> Back in a sec.
>>>>
>>>> Cyril
>>>>
>>>>
>>> OK, I will give you that Kerberos is built into Samba4 but openLDAP
>>> isn't, Samba4 uses AD, but what I meant was that I wasn't using seperate
>>> databases, I was just using the same as you and as far as I could see
>>> the only thing you were missing was libpam-krb5
>>>
>>> Rowland
>>>
>> Ok ... I tough there were an openLDAP inside.
>>
>> And that's working better with libpam-krb5.  :-)
>>
>> Now, at the login screen, I have a message about my password that will
>> expire.
>> But I can't open a session
>> lightdm: pam_krb5(lightdm:auth): user clalinne authenticated as
>> clalinne at SUBDOMAIN.DOMAIN.FR
>> lightdm: gkr-pam: error looking up user information
>> lightdm: pam_unix(lightdm:account): could not identify user (from
>> getpwnam(clalinne))
>>
>> Cyril
>>
> OK, does the users unix home directory (as set in the users
> unixHomeDirectory attribute) exist on the client that they are trying to
> log into ?
>
> If not add this to the end of /etc/pam.d/common-session:
>
> session required        pam_mkhomedir.so skel=/etc/skel umask=0022
>
> and install libpam-modules and then try again.
>
> Rowland
>
I did it, then I wasn't able to login even with local users.
May be I should have update PAM and check PAM files before login out : I 
didn't runpam-auth-update.

As this Christmas tree is bigger and bigger ...
I'll copy/paste your advices / explanation on a page and I'll start from 
scratch on another VM.

Let's see if I can be as near to the solution as I was ...

Cyril