[Samba] Linux client of the domain - SSSD : authenticating via Kerberos
Cyril
cyril.lalinne at 3d-com.fr
Tue Dec 24 04:03:26 MST 2013
Le 23/12/2013 10:50, L.P.H. van Belle a écrit :
>
>
> I dont know if anybody noticed the following
>
>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>
>>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>>>>>> networks: files
>
> Which can case resolving problems.
>>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
> change it to :
> hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
>
> greetz,
>
> Louis
>
I didn't had issue with resolving ( I may have later ...)
But that can help ...
Thanks
Cyril
>
>
>> -----Oorspronkelijk bericht-----
>> Van: cyril.lalinne at 3d-com.fr
>> [mailto:samba-bounces at lists.samba.org] Namens Cyril
>> Verzonden: vrijdag 20 december 2013 10:37
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Linux client of the domain - SSSD :
>> authenticating via Kerberos
>>
>> Le 19/12/2013 19:16, steve a écrit :
>>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>>> On 19/12/13 18:00, Cyril wrote:
>>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I think I'm starting to understand how Linux
>> client can be
>>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Linux clients don't need Samba for
>> authentication, only the
>>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> So why should I need to install winbind and
>> samba4 on the
>>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>>> Hi
>>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>>
>>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>>
>>>>>>>>>>>>> [sssd]
>>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>>> domains = default
>>>>>>>>>>>>>
>>>>>>>>>>>>> [nss]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [pam]
>>>>>>>>>>>>>
>>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>>
>>>>>>>>>>>>> # on large directories, you may want to disable
>> enumeration for
>>>>>>>>>>>>> performance reasons
>>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>>
>>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>>> ldap_sasl_authid = myserver at SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>>
>>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>>
>>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>>
>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>>
>>>>>>>>>>>>> hosts: files mdns4_minimal dns
>> [NOTFOUND=return] mdns4
>>>>>>>>>>>>> networks: files
>>>>>>>>>>>>>
>>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>>> services: db files
>>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>>
>>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>>
>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>>>>>>>>>>>>> auth [success=1 default=ignore] pam_unix.so
>> nullok_secure
>>>>>>>>>>>>> # here's the fallback if no module succeeds
>>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>>> # prime the stack with a positive return value if
>> there isn't one
>>>>>>>>>>>>> already;
>>>>>>>>>>>>> # this avoids us returning an error just because
>> nothing sets a
>>>>>>>>>>>>> success code
>>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>>> # and here are more per-package modules (the
>> "Additional" block)
>>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>
>>>>>>>>>>>> As Steve says, might as well start with a new
>> sssd.conf, here is a
>>>>>>>>>>>> working (sanitized) version from the laptop I am
>> typing on ;-)
>>>>>>>>>>>>
>>>>>>>>>>>> [sssd]
>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>> domains = default
>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>>
>>>>>>>>>>>> [nss]
>>>>>>>>>>>>
>>>>>>>>>>>> [pam]
>>>>>>>>>>>>
>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>>
>>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>> @Rowland
>>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>>> Steve
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so
>> I suggested
>>>>>>>>>> that he
>>>>>>>>>> used the sssd ppa. I believe that he is now using
>> this ppa and if
>>>>>>>>>> so, he
>>>>>>>>>> should be using 1.11.1
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Yes that's what I did.
>>>>>>>>>
>>>>>>>>> But I think Steve would like to know the version on
>> the laptop you're
>>>>>>>>> curently using.
>>>>>>>>>
>>>>>>>> Thanks for confirming that, but you are the 'OP' he
>> referred to, OP =
>>>>>>>> original poster
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> :-)
>>>>>>>
>>>>>>> Cyril
>>>>>>
>>>>>> OK. Glad we've got that one sorted.
>>>>>>
>>>>>> Just for completeness, here's a working 1.11.1 sssd.conf
>> with all the ad
>>>>>> and autofs bits:
>>>>>> [sssd]
>>>>>> #debug_level = 9
>>>>>> services = nss, pam, autofs
>>>>>> config_file_version = 2
>>>>>> domains = default
>>>>>>
>>>>>> [nss]
>>>>>>
>>>>>> [pam]
>>>>>>
>>>>>> [autofs]
>>>>>>
>>>>>> [domain/default]
>>>>>> #debug_level = 9
>>>>>> dyndns_update=true
>>>>>> #dyndns_refresh_interval = 8
>>>>>> ad_hostname = catral.hh3.site
>>>>>> ad_server = hh16.hh3.site
>>>>>> ad_domain = hh3.site
>>>>>>
>>>>>> ldap_schema = ad
>>>>>> id_provider = ad
>>>>>> access_provider = ad
>>>>>> enumerate = false
>>>>>> cache_credentials = true
>>>>>> #entry_cache_timeout = 60
>>>>>> auth_provider = ad
>>>>>> chpass_provider = ad
>>>>>> krb5_realm = hh3.site
>>>>>> krb5_server = hh16.hh3.site
>>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>>
>>>>>> ldap_id_mapping=false
>>>>>> ldap_referrals = false
>>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>>> ldap_search_base = dc=hh3,dc=site
>>>>>> ldap_user_object_class = user
>>>>>> ldap_user_name = samAccountName
>>>>>> ldap_user_uid_number = uidNumber
>>>>>> ldap_user_gid_number = gidNumber
>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>> ldap_user_shell = loginShell
>>>>>> ldap_group_object_class = group
>>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>>> ldap_group_name = cn
>>>>>> ldap_group_member = member
>>>>>>
>>>>>> ldap_sasl_mech = gssapi
>>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>>> krb5_keytab = /etc/krb5.keytab
>>>>>> ldap_krb5_init_creds = true
>>>>>>
>>>>>> autofs_provider=ldap
>>>>>>
>>>>>> #ldap_autofs_search_base =
>>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>>> #ldap_autofs_map_object_class = nisMap
>>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>>> #ldap_autofs_map_name = nisMapName
>>>>>> #ldap_autofs_entry_key = cn
>>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>>
>>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>>> ldap_autofs_map_object_class = automountMap
>>>>>> ldap_autofs_entry_object_class = automount
>>>>>> ldap_autofs_map_name = automountMapName
>>>>>> ldap_autofs_entry_key = automountKey
>>>>>> ldap_autofs_entry_value = automountInformation
>>>>>>
>>>>>>
>>>>>> Please note that we must canonicalise IP's. We must use a
>> DNS resolvable
>>>>>> name, NOT a series of mumbers. I think.
>>>>>>
>>>>>> HTH
>>>>>> Steve
>>>>>>
>>>>>>
>>>>>
>>>>> I made an error on :
>>>>> ldap_sasl_authid, I forget the $ sign
>>>>> ad_hostname, I use the server name instead of workstation's one
>>>>>
>>>>> But it still not working.
>>>>> But I have more information from sssd's log as I use
>> debug_level = 9.
>>>>>
>>>>> May be an interesting one :
>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>>> appropriate principal from keytab
>>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>>> (Thu Dec 19 18:47:56 2013)
>>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>>> suitable principal found in keytab
>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>> [load_backend_module]
>>>>> (0x0010): Error (2) in module (ad) initialization
>> (sssm_ad_id_init)!
>>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>>> (0x0010): fatal error initializing data providers
>>>>>
>>>>> There's an issue with kerberos.
>>>>>
>>>>> The keytab have to be local ?
>>>>> Or does the system use the server one ?
>>>>>
>>>>> Cyril
>>>>>
>>>>>
>>>>>
>>>>>
>>>> If you use samba, then, when you join the machine to the domain, a
>>>> keytab should be created '/etc/krb5.keytab' , are you using
>> this keytab?
>>>
>>> No. The OP is using a samba-tool generated keytab
>>> at /etc/krb5.sssd.keytab
>>>
>>> For simplicity, could I suggest using the machine key that
>> was generated
>>> in /etc/krb5.conf when the client joined the domain? Where is this
>>> anyway? On a DC or on a client box?
>>>
>>> If you generated the keytab on the DC then of course it must be
>>> transferred to the client using e.g. scp or a usb memory.
>>>
>>> Steve
>>>
>>>
>>>> If unsure, have a look here:
>>>>
>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20au
>> thenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>>
>>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server
>> Setup', ignore the
>>>> bit about about creating a keytab on the windows server.
>>>>
>>>> Rowland
>>>
>>>
>> I copied the file /etc/krb5.sssd.keytab on the workstation.
>>
>> I had to reboot the workstation. Restarting the service sssd just hang.
>> And I still have the same error :
>>
>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>> [sdap_set_sasl_options](0x2000): authid contains realm
>> [SUBDOMAIN.DOMAIN.FR]
>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>> [sdap_set_sasl_options](0x0100): Will look for
>> myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>> (Fri Dec 20 09:28:31 2013)
>> [sssd[be[default]]][select_principal_from_keytab] (0x0200): trying to
>> select the most appropriate principal from keytab
>> (Fri Dec 20 09:28:31 2013)
>> [sssd[be[default]]][find_principal_in_keytab]
>> (0x0020): krb5_kt_start_seq_get failed.
>> (Fri Dec 20 09:28:31 2013)
>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>> suitable
>> principal found in keytab
>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>> [load_backend_module](0x0010): Error (2) in module (ad) initialization
>> (sssm_ad_id_init)!
>> (Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>> [be_process_init](0x0010): fatal error initializing data providers
>>
>> If I run on the workstation :
>> kinit administrator at SUBDOMAIN.DOMAIN.FR
>> It ask me the admin password, then I have the warnig message aout
>> expiration.
>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>> It also ask me a password but the admin's one doesn't work.
>>
>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>> first before generating the keytab on the DC ?
>>
>> Cyril
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list