samba4 + kerberos + pam

David Feurle david.feurle at sodgeit.de
Tue May 14 09:06:06 MDT 2013 

Hi Denis,

I know that samba3 is great as a client.  The only problem is that I 
want to allow the login on the same machine - the AD Server.
As far as I know I can not run samba4 and samba3 on the same machine.

Thanks!

David


Am 14.05.2013 16:43, schrieb Denis Cardon:
> Hi David,
>
>> thanks for your response. As far as I understand the difference 
>> between your setup and mine is that you use sama3 as a client whilst 
>> I use samba4 as well on the client.
>> The reason is that I want users to be able to log in in the AD server 
>> (which is running samba4) and have their kerberos ticket set up.
>
> you don't need samba4 on the client for AD authentication. Samba 3 
> will do it properly and it is much better documented. I think you 
> should try it.
>
> I published a small step by step documentation for a debian wheezy 
> system at
> http://dev.tranquil.it/index.php/SAMBA_-_Int%C3%A9gration_Samba_membre_de_domaine 
>
>
> It is in French, but it should be fairly easy to understand. I just 
> tried it step by step on a fresh wheezy install and I got my ticket 
> after login:
>
> dcardon at wheezy:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_20005
> Default principal: dcardon at TRANQUILIT.LOCAL
>
> Valid starting    Expires           Service principal
> 14/05/2013 16:40  15/05/2013 02:40 
> krbtgt/TRANQUILIT.LOCAL at TRANQUILIT.LOCAL
>     renew until 21/05/2013 16:40
> 14/05/2013 16:40  15/05/2013 02:40  WHEEZY$@TRANQUILIT.LOCAL
>     renew until 21/05/2013 16:40
>
> I have the "pam_winbind.so use_first_pass krb5_auth 
> krb5_ccache_type=FILE" line both in auth and session. I don't know if 
> it necessary, but it works.
>
> Cheers,
>
> Denis
>
>
>>
>> When I set the same parameters as you do in /etc/pam.d/common-session 
>> no kerberos ticket is created when loging in with the domain user.
>> I am using Ubuntu 12.04 which should be similar to your debian setup.
>>
>> Thanks,
>>
>> David
>>
>>
>> Am Dienstag, 14. Mai 2013 14:20 CEST, Denis Cardon 
>> <denis.cardon at tranquil-it-systems.fr> schrieb:
>>
>>> Hi David,
>>>
>>>> I have a problem with samba4 and PAM Kerberos Authentication.
>>>>
>>>> I can login to my machine using the domain user/password (using 
>>>> pam) and manually create the Kerberos ticket (kinit).
>>>> Now I want to automatically create a kerberos ticket on login.
>>>>
>>>> As stated in the wiki 
>>>> (https://wiki.samba.org/index.php/PAM_Kerberos_Authentication) I 
>>>> need to create the config file in /etc/security/pam_winbind.conf 
>>>> with the corresponding settings.
>>>>
>>>> krb5_auth = yes
>>>> krb5_ccache_type = FILE
>>>>
>>>> Im nearly sure that this file is used since I can set the debug 
>>>> option in there and it is used. When I login with a domain user 
>>>> /var/log/auth.log states success of kerberos and I have a shell, 
>>>> but no ticket is created.
>>>>
>>>> I'm using a self compiled version of samba (4.0.5).
>>>>
>>>> Is this a bug in samba4 or am I missing something?
>>>
>>> here we are using samba 4.0.5 AD server and pam_winbind auth for linux
>>> clients and it does create the credential cache file properly. My Linux
>>> clients are debian squeeze or wheezy based, and I have no experience
>>> with redhat flavored linux though.
>>>
>>> By the way I don't see why the kerberos cache on client would have
>>> something to do with the kerberos server.
>>>
>>> I don't know if there is an equivalent of 
>>> /etc/security/pam_winbind.conf
>>> on debian, but I have the same parameters directly in the pam.d files :
>>>
>>> $ cat /etc/pam.d/common-session
>>> session     [default=1]            pam_permit.so
>>> session     requisite            pam_deny.so
>>> session     required            pam_permit.so
>>> session     required                    pam_unix.so
>>> session     optional            pam_ck_connector.so nox11
>>> session     required            pam_mkhomedir.so silent 
>>> skel=/etc/skel.empty
>>> session  optional                       pam_winbind.so krb5_auth
>>> krb5_ccache_type=FILE
>>>
>>> I am sure my credential cache is correctly populated at logon since I
>>> use it for authentication on apache and file servers.
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>>
>>>> Thanks!
>>>>
>>>> David
>>>>
>>>
>>>
>>> -- 
>>> Denis Cardon
>>> Tranquil IT Systems
>>> Les Espaces Jules Verne, bâtiment A
>>> 12 avenue Jules Verne
>>> 44230 Saint Sébastien sur Loire
>>> tel : +33 (0) 2.40.97.57.55
>>> http://www.tranquil-it-systems.fr
>>>
>>
>>
>>
>>
>>
>
>

More information about the samba-technical mailing list