[Samba] Linux client of the domain
Cyril
I think I'm starting to understand how Linux client can be integrated
into a samba domain.
Tell me if I'm wrong :
Linux clients don't need Samba for authentication, only the ldap part of
samba.
sssd through kerberos get information from ldap. If the user is known or
get the right, he can log.
So why should I need to install winbind and samba4 on the linux client ?
Is it only if I have a Windows AD ?
Thanks
Cyril
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Stéphane PURNELLE
You have 2 possibility :
- Use sssd to connect to a AD server (but you need to add service for unix
and Unix tab for manage unix information)
- or install samba and use winbind for mapping windows AD account
information (SID) to linux account (uidNumber).
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
samba-...@lists.samba.org wrote on 18/12/2013 15:40:37:
> De : Cyril <cyril....@3d-com.fr>
> A : sa...@lists.samba.org,
> Date : 18/12/2013 15:41
> Objet : [Samba] Linux client of the domain
> Envoyé par : samba-...@lists.samba.org
Rowland Penny
> Hello,
>
> I think I'm starting to understand how Linux client can be integrated
> into a samba domain.
>
> Tell me if I'm wrong :
>
> Linux clients don't need Samba for authentication, only the ldap part
> of samba.
or a remote database ( this can be LDAP based or AD based) but if going
for remote auth, you really need samba.
> or get the right, he can log.
>
> So why should I need to install winbind and samba4 on the linux client ?
> Is it only if I have a Windows AD ?
to you, but 3.6 is now in security fixes mode. Samba 4 can be run just
the same as 3.x was, it does not have to be an Active Directory controller.
Rowland
Rowland Penny
> Hi,
>
> You have 2 possibility :
>
> - Use sssd to connect to a AD server (but you need to add service for unix
> and Unix tab for manage unix information)
to the winbind rid backend, though I personally don't recommend this.
Rowland
> - or install samba and use winbind for mapping windows AD account
> information (SID) to linux account (uidNumber).
>
>
>
>
> -----------------------------------
> Stéphane PURNELLE Admin. Systèmes et Réseaux
> Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
>
> samba-...@lists.samba.org wrote on 18/12/2013 15:40:37:
>
>> De : Cyril <cyril....@3d-com.fr>
>> A : sa...@lists.samba.org,
>> Date : 18/12/2013 15:41
>> Objet : [Samba] Linux client of the domain
>> Envoyé par : samba-...@lists.samba.org
>>
>>
>> I think I'm starting to understand how Linux client can be integrated
>> into a samba domain.
>>
>> Tell me if I'm wrong :
>>
>> Linux clients don't need Samba for authentication, only the ldap part of
>> samba.
>> get the right, he can log.
>>
>> Is it only if I have a Windows AD ?
>>
>>
steve
>
> - Use sssd to connect to a AD server (but you need to add service for unix
> and Unix tab for manage unix information)
You do not need 'service for unix', nor a 'unix tab' for sssd
integration.
HTH
Steve
Robert Heller
>
> Hello,
>
> I think I'm starting to understand how Linux client can be integrated
> into a samba domain.
>
> Tell me if I'm wrong :
>
> Linux clients don't need Samba for authentication, only the ldap part of
> samba.
> sssd through kerberos get information from ldap. If the user is known or
> get the right, he can log.
>
> So why should I need to install winbind and samba4 on the linux client ?
> Is it only if I have a Windows AD ?
running on the server) AND IF NFS is installed and setup on the server, the
*Linux* client does not need any of Samba at all. It can authentate via LDAP,
share server disks (eg /home/$USER) via NFS (and automount/autofs), and access
printers on the server via CUPS (with 'sharing' enabled). The 'native' Linux
disk 'sharing' is via NFS, 'native' print sharing is via CUPS, and one of
'native' server authentication methods is LDAP (another is kerberos). A Linux
*client* only needs samba if the server is Windows based.
(Note: the above *also* can apply to MacOSX or *BSD, with the right software
installed. I don't know if NFS is part of the base MacOSX install or not -- it
should be for Linux or *BSD, at least the client side, ie nfs_mount and nfsfs
kernel modules -- the nfsd daemon might be an optional package, depending on
the distro.)
>
>
> Thanks
> Cyril
>
--
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software -- http://www.deepsoft.com/
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments
Cyril Lalinne
Thanks !
Cyril
Cyril
> On Wed, 2013-12-18 at 15:51 +0100, Stéphane PURNELLE wrote:
>
>>
>> - Use sssd to connect to a AD server (but you need to add service for unix
>> and Unix tab for manage unix information)
>
> You do not need 'service for unix', nor a 'unix tab' for sssd
> integration.
> HTH
> Steve
>
>
you can centralize windows login and Unix login in the same user object
in the AD.
Rowland Penny
> Le 18/12/2013 16:31, steve a écrit :
>> On Wed, 2013-12-18 at 15:51 +0100, Stéphane PURNELLE wrote:
>>
>>>
>>> - Use sssd to connect to a AD server (but you need to add service
>>> for unix
>>> and Unix tab for manage unix information)
>>
>> You do not need 'service for unix', nor a 'unix tab' for sssd
>> integration.
>> HTH
>> Steve
>>
>>
> You may need it if you want to get unix information from LDAP, no?.
> Then you can centralize windows login and Unix login in the same user
> object in the AD.
>
> Cyril
>
>
set sssd to give much the same info without them. See the various sssd
manpages.
Rowland
steve
> Le 18/12/2013 16:31, steve a écrit :
> > On Wed, 2013-12-18 at 15:51 +0100, Stéphane PURNELLE wrote:
> >
> >>
> >> - Use sssd to connect to a AD server (but you need to add service for unix
> >> and Unix tab for manage unix information)
> >
> > You do not need 'service for unix', nor a 'unix tab' for sssd
> > integration.
> > HTH
> > Steve
> >
> >
> You may need it if you want to get unix information from LDAP, no?. Then
> you can centralize windows login and Unix login in the same user object
> in the AD.
No, not at all. All the ldap information you need for single domain sign
on to both Linux and windows is available with or without it. You only
need sfu if you want to administer Linux domain users on a windows box.
HTH
Steve
Cyril
> On Wed, 2013-12-18 at 17:03 +0100, Cyril wrote:
>> Le 18/12/2013 16:31, steve a écrit :
>>> On Wed, 2013-12-18 at 15:51 +0100, Stéphane PURNELLE wrote:
>>>
>>>>
>>>> - Use sssd to connect to a AD server (but you need to add service for unix
>>>> and Unix tab for manage unix information)
>>>
>>> You do not need 'service for unix', nor a 'unix tab' for sssd
>>> integration.
>>> HTH
>>> Steve
>>>
>>>
>> You may need it if you want to get unix information from LDAP, no?. Then
>> you can centralize windows login and Unix login in the same user object
>> in the AD.
>
>
> No, not at all. All the ldap information you need for single domain sign
> on to both Linux and windows is available with or without it. You only
> need sfu if you want to administer Linux domain users on a windows box.
> HTH
> Steve
>
>
I have attached a print screen of "AD Users and computers" in a windows
box that I use to administrate the domain.
Cyril
Rowland Penny
administrate domain linux clients then you need the SFU attributes,
these are standard after windows server 2003R2 and are included with
Samba4 but you need to either provision with --use-rfc2307 or later add
the 'ypServ30.ldif'. You may then have a problem getting the UNIX
Attributes tab to show in RSAT, a quick google should find you the way
to sort that problem.
Rowland
Cyril
So I'm using SFU without knowing it !
Cyril
Rowland Penny
Rowland
Cyril Lalinne
The Unix attributes was available since the beginning.
Cyril
Cyril
> Hello,
>
> I think I'm starting to understand how Linux client can be integrated
> into a samba domain.
>
> Tell me if I'm wrong :
>
> Linux clients don't need Samba for authentication, only the ldap part of
> samba.
> sssd through kerberos get information from ldap. If the user is known or
> get the right, he can log.
>
> So why should I need to install winbind and samba4 on the linux client ?
> Is it only if I have a Windows AD ?
>
>
> Cyril
>
I can't get sssd working and I don't know why.
On the network, I have a samba4 install on a CentOS6.4.
This server is also the DHCP server
There's no other server on the domain.
A Win7 workstation has already join the domain.
I'm following this wiki :
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
to add a Linux workstation (Ubuntu 12.04 LTS) on the domain. The goal is
to get users authenticate with the same users/password as windows one.
On the workstation :
I have install sssd krb5-user package from ubuntu repository.
The module libsasl2-modules-gssapi-MIT is already installed
I have create a directory security in /lib64 and link file :
# ln -s /usr/local/lib/security/pam_sss.so /lib64/security/
Then when I do :
ldconfig -v | grep sss
libnss_sss.so.2 -> libnss_sss.so.2
On the server :
I have extract the keytab.
On the workstation :
I have configure sssd.conf with LDAP as id_provider ( sssd version < 1.10.0)
I check the /etc/nsswitch.conf. sss is already add.
If I run :
getent passwd
I only get local profiles.
Any idea of what I missed ?
Is there other test I can do to know what's wrong ?
Thanks,
Rowland Penny
nano /etc/apt/sources.list
Add:
# sssd
deb http://ppa.launchpad.net/sssd/updates/ubuntu precise main
deb-src http://ppa.launchpad.net/sssd/updates/ubuntu precise main
Then run the following commands:
gpg --keyserver subkeys.pgp.net --recv B9BF7660CA45F42B
gpg --export --armor CA45F42B | sudo apt-key add -
apt-get update
apt-get -y install sssd sssd-tools
I take it that you have checked and altered /etc/sssd/sssd.conf to suit
your environment?
Rowland
steve
> Le 18/12/2013 15:40, Cyril a écrit :
> > Hello,
> >
> > I think I'm starting to understand how Linux client can be integrated
> > into a samba domain.
> >
> > Tell me if I'm wrong :
> >
> > Linux clients don't need Samba for authentication, only the ldap part of
> > samba.
> > sssd through kerberos get information from ldap. If the user is known or
> > get the right, he can log.
> >
> > So why should I need to install winbind and samba4 on the linux client ?
> > Is it only if I have a Windows AD ?
> >
> >
> > Thanks
> > Cyril
> >
>
> I can't get sssd working and I don't know why.
Hi
Please post the censored content of:
/etc/sssd/sssd.conf
and the passwd and group greps of:
/etc/nsswitch.conf
and, for later:
/etc/pam.d/common-auth
Steve
Cyril
>> Le 18/12/2013 15:40, Cyril a écrit :
>>> Hello,
>>>
>>> I think I'm starting to understand how Linux client can be integrated
>>> into a samba domain.
>>>
>>> Tell me if I'm wrong :
>>>
>>> Linux clients don't need Samba for authentication, only the ldap part of
>>> samba.
>>> sssd through kerberos get information from ldap. If the user is known or
>>> get the right, he can log.
>>>
>>> So why should I need to install winbind and samba4 on the linux client ?
>>> Is it only if I have a Windows AD ?
>>>
>>>
>>> Thanks
>>> Cyril
>>>
>>
>> I can't get sssd working and I don't know why.
>>
I have remove sssd and sssd-tools and re-install from the ppa and
updated the sssd.conf file as the sssd version is > 1.10
Now, I can run sss_cache !
But getent passwd still give me local users.
And in the log file, I have theses error :
sssd_default.log :
(Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [load_backend_module]
(0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
(Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Thu Dec 19 15:44:42 2013) [sssd[be[default]]] [main] (0x0010): Could
not initialize backend [2]
sssd.log
(Thu Dec 19 15:44:42 2013) [sssd] [mt_svc_exit_handler] (0x0010):
Process [default], definitely stopped!
how can i test Kerberos from the workstation ?
Cyril
Rowland Penny
how it is set, please post a sanitized version of sssd.conf
Rowland
Cyril
the log ;-) )
I'll answer to steve with a copy of my configuration
Cyril
> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>> Le 18/12/2013 15:40, Cyril a écrit :
>>> Hello,
>>>
>>> I think I'm starting to understand how Linux client can be integrated
>>> into a samba domain.
>>>
>>> Tell me if I'm wrong :
>>>
>>> Linux clients don't need Samba for authentication, only the ldap part of
>>> samba.
>>> sssd through kerberos get information from ldap. If the user is known or
>>> get the right, he can log.
>>>
>>> So why should I need to install winbind and samba4 on the linux client ?
>>> Is it only if I have a Windows AD ?
>>>
>>>
>>> Thanks
>>> Cyril
>>>
>>
>> I can't get sssd working and I don't know why.
>
> Please post the censored content of:
> /etc/sssd/sssd.conf
> and the passwd and group greps of:
> /etc/nsswitch.conf
> and, for later:
> /etc/pam.d/common-auth
> Steve
>
>
The workstation is an Ubuntu 12.04 LTS 64Bit
/etc/sssd/sssd.conf :
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
ad_hostname = myserver.sub-domain.domain.fr
ad_server = myserver.sub-domain.domain.fr
ad_domain = sub-domain.domain.fr
ldap_schema = ad
id_provider = ad
access_provider = simple
# on large directories, you may want to disable enumeration for
performance reasons
enumerate = true
auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = myse...@SUBDOMAIN.DOMAIN.FR
krb5_realm = SUBDOMAIN.DOMAIN.FR
krb5_server = myserver.sub-domain.domain.fr
krb5_kpasswd = myserver.sub-domain.domain.fr
ldap_krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true
ldap_referrals = false
ldap_uri = ldap://myserverIPadress
ldap_search_base = dc=subdomain,dc=domain,dc=fr
dyndns_update=false
/etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat
hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files sss
/etc/pam.d/common-auth
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
Cyril
steve
Too much to correct. Cold you compare with a working config and change
as necessary? E.g.
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>
> /etc/nsswitch.conf
>
> passwd: compat sss
> group: compat sss
> shadow: compat
>
OK
> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files sss
>
> /etc/pam.d/common-auth
>
>
> # here are the per-package modules (the "Primary" block)
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> auth optional pam_cap.so
> # end of pam-auth-update config
>
Nope. We're gonna need to add sss here. But let's get connected first.
Can you give us a:
klist -ke /etc/krb5.sssd.keytab
How did you create it?
HTH
Steve
Rowland Penny
>
> passwd: compat sss
> group: compat sss
> shadow: compat
>
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files sss
>
> /etc/pam.d/common-auth
>
>
> # here are the per-package modules (the "Primary" block)
> auth [success=1 default=ignore] pam_unix.so nullok_secure
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one
> already;
> # this avoids us returning an error just because nothing sets a
> success code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> auth optional pam_cap.so
> # end of pam-auth-update config
>
>
>
>
As Steve says, might as well start with a new sssd.conf, here is a
working (sanitized) version from the laptop I am typing on ;-)
[sssd]
config_file_version = 2
domains = default
services = nss, pam
[nss]
[pam]
[domain/default]
description = AD domain with Samba 4 server
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
autofs_provider = ldap
sudo_provider = ldap
krb5_server = your.Samba4server.FQDN
krb5_kpasswd = your.Samba4server.FQDN
krb5_realm = UPPERCASE.REALM
ldap_referrals = false
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
ldap_krb5_init_creds = true
Rowland
steve
@Rowland
Is the OP on sssd <= 1.9.x ?
Steve
Rowland Penny
used the sssd ppa. I believe that he is now using this ppa and if so, he
should be using 1.11.1
Rowland
Cyril
But I think Steve would like to know the version on the laptop you're
curently using.
Rowland Penny
original poster
Rowland
Cyril Lalinne
:-)
Cyril
Cyril
> as necessary? E.g.
> http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>
The configuration file is very different.
I'm running sssd 1.11.0, I should be able to use the AD id_provider.
I'll have a try with ldap id_provider.
>>
>> /etc/nsswitch.conf
>>
>> passwd: compat sss
>> group: compat sss
>> shadow: compat
>>
> OK
>
>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>> sudoers: files sss
>>
>> /etc/pam.d/common-auth
>>
>>
>> # here are the per-package modules (the "Primary" block)
>> auth [success=1 default=ignore] pam_unix.so nullok_secure
>> # here's the fallback if no module succeeds
>> auth requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success code
>> # since the modules above will each just jump around
>> auth required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> auth optional pam_cap.so
>> # end of pam-auth-update config
>>
>
> Nope. We're gonna need to add sss here. But let's get connected first.
>
> Can you give us a:
> klist -ke /etc/krb5.sssd.keytab
> How did you create it?
>
> HTH
> Steve
>
>
Runnig klist -ke /etc/krb5.sssd.keytab on the server give me :
Keytab name: FILE:/etc/krb5.sssd.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-crc)
1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-md5)
1 myserver$@SUBDOMAIN.DOMAIN.FR (arcfour-hmac)
Is the "$" normal ?
I create this file running :
# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=myserver$
# chown root:root /etc/krb5.sssd.keytab
# chmod 600 /etc/krb5.sssd.keytab
weird this $ symbole at the end of the command no ?
I get this command from the wiki. here :
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd#Method_1:_Connecting_to_AD_via_Kerberos_.28recommended.29
steve
> >
> > Can you give us a:
> > klist -ke /etc/krb5.sssd.keytab
> > How did you create it?
> >
> > HTH
> > Steve
> >
> >
>
>
>
> Runnig klist -ke /etc/krb5.sssd.keytab on the server give me :
>
> Keytab name: FILE:/etc/krb5.sssd.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-crc)
> 1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-md5)
> 1 myserver$@SUBDOMAIN.DOMAIN.FR (arcfour-hmac)
>
> Is the "$" normal ?
> I create this file running :
>
> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=myserver$
> # chown root:root /etc/krb5.sssd.keytab
> # chmod 600 /etc/krb5.sssd.keytab
> weird this $ symbole at the end of the command no ?
Steve
steve
> Le 19/12/2013 17:53, Rowland Penny a écrit :
> > On 19/12/13 16:46, Cyril wrote:
> >> Le 19/12/2013 17:42, Rowland Penny a écrit :
> >>> On 19/12/13 16:22, steve wrote:
> >>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
> >>>>>>
> >>>>>> passwd: compat sss
> >>>>>> group: compat sss
> >>>>>> shadow: compat
> >>>>>>
> >>>>>> networks: files
> >>>>>>
> >>>>>> protocols: db files
> >>>>>> services: db files
> >>>>>> ethers: db files
> >>>>>> rpc: db files
> >>>>>>
> >>>>>> netgroup: nis
> >>>>>> sudoers: files sss
> >>>>>>
> >>>>>> /etc/pam.d/common-auth
> >>>>>>
> >>>>>>
> >>>>>> # here are the per-package modules (the "Primary" block)
> >>>>>> auth [success=1 default=ignore] pam_unix.so nullok_secure
> >>>>>> # here's the fallback if no module succeeds
> >>>>>> auth requisite pam_deny.so
> >>>>>> # prime the stack with a positive return value if there isn't one
> >>>>>> already;
> >>>>>> # this avoids us returning an error just because nothing sets a
> >>>>>> success code
> >>>>>> # since the modules above will each just jump around
> >>>>>> auth required pam_permit.so
> >>>>>> # and here are more per-package modules (the "Additional" block)
> >>>>>> auth optional pam_cap.so
> >>>>>> # end of pam-auth-update config
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> As Steve says, might as well start with a new sssd.conf, here is a
> >>>>> working (sanitized) version from the laptop I am typing on ;-)
> >>>>>
> >>>>> [sssd]
> >>>>> domains = default
> >>>>>
> >>>>> [nss]
> >>>>>
> >>>>> [pam]
> >>>>>
> >>>>> [domain/default]
> >>>>> description = AD domain with Samba 4 server
> >>>>> cache_credentials = true
> >>>>> enumerate = true
> >>>>> id_provider = ldap
> >>>>> chpass_provider = krb5
OK. Glad we've got that one sorted.
Just for completeness, here's a working 1.11.1 sssd.conf with all the ad
and autofs bits:
[sssd]
#debug_level = 9
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[autofs]
[domain/default]
#debug_level = 9
dyndns_update=true
#dyndns_refresh_interval = 8
ad_hostname = catral.hh3.site
ad_server = hh16.hh3.site
ad_domain = hh3.site
ldap_schema = ad
id_provider = ad
access_provider = ad
enumerate = false
cache_credentials = true
#entry_cache_timeout = 60
auth_provider = ad
chpass_provider = ad
krb5_realm = hh3.site
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_id_mapping=false
ldap_referrals = false
ldap_uri = ldap://hh16.hh3.site
ldap_search_base = dc=hh3,dc=site
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=hh3,dc=site
ldap_group_name = cn
ldap_group_member = member
ldap_sasl_mech = gssapi
ldap_sasl_authid = CATRAL$@HH3.SITE
krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
autofs_provider=ldap
#ldap_autofs_search_base =
CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
#ldap_autofs_map_object_class = nisMap
#ldap_autofs_entry_object_class = nisObject
#ldap_autofs_map_name = nisMapName
#ldap_autofs_entry_key = cn
#ldap_autofs_entry_value = nisMapEntry
ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
ldap_autofs_map_object_class = automountMap
ldap_autofs_entry_object_class = automount
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation
Please note that we must canonicalise IP's. We must use a DNS resolvable
name, NOT a series of mumbers. I think.
HTH
Cyril
>
>>>
>>> Can you give us a:
>>> klist -ke /etc/krb5.sssd.keytab
>>> How did you create it?
>>>
>>> HTH
>>> Steve
>>>
>>>
>>
>>
>>
>> Runnig klist -ke /etc/krb5.sssd.keytab on the server give me :
>>
>> Keytab name: FILE:/etc/krb5.sssd.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-crc)
>> 1 myserver$@SUBDOMAIN.DOMAIN.FR (des-cbc-md5)
>> 1 myserver$@SUBDOMAIN.DOMAIN.FR (arcfour-hmac)
>>
>> Is the "$" normal ?
>
> Yes. It's windows for 'machine key'.
>
>> I create this file running :
>
>
>>
>> # samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=myserver$
>> # chown root:root /etc/krb5.sssd.keytab
>> # chmod 600 /etc/krb5.sssd.keytab
>
> Perfect.
>>
>> weird this $ symbole at the end of the command no ?
>
> It's fine. It's friendly. We love machine keys here.
> Steve
>
>
ldap_sasl_authid = myse...@SUBDOMAIN.DOMAIN.FR
should be
ldap_sasl_authid = myserver$@SUBDOMAIN.DOMAIN.FR
?
Cyril
steve
Yes.
Steve
Cyril
I made an error on :
ldap_sasl_authid, I forget the $ sign
ad_hostname, I use the server name instead of workstation's one
But it still not working.
But I have more information from sssd's log as I use debug_level = 9.
May be an interesting one :
(Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
select_principal_from_keytab] (0x0200): trying to select the most
appropriate principal from keytab
(Thu Dec 19 18:47:52 2013) [sssd[be[default]] [find_principal_in_keytab]
(0x0020): krb5_kt_start_seq_get failed.
(Thu Dec 19 18:47:56 2013)
[sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable
principal found in keytab
(Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
[ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
(Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
(0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
(Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
(0x0010): fatal error initializing data providers
There's an issue with kerberos.
The keytab have to be local ?
Or does the system use the server one ?
Cyril
Denis Cardon
...snip...
>>
>>
>
> I made an error on :
> ldap_sasl_authid, I forget the $ sign
> ad_hostname, I use the server name instead of workstation's one
>
> But it still not working.
> But I have more information from sssd's log as I use debug_level = 9.
>
> May be an interesting one :
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
> select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]] [find_principal_in_keytab]
> (0x0020): krb5_kt_start_seq_get failed.
> (Thu Dec 19 18:47:56 2013)
> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable
> principal found in keytab
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
> (0x0010): fatal error initializing data providers
there is/was a bug in sssd initialisation where the ldap_sasl_authid has
to be in the same case letter by letter as the entry in the keytab (even
if you have mix case). I think the kerberos entry should be case insentive.
About another bug earlier in the thread about having no provider or
something like this, it is probably an error about missing sasl/ldap
library. Those libraries are not required for sssd so they are not
always in dependencies in packaging. Here are the entries we have in our
in-house sssd package :
libsasl2-modules-ldap,libsasl2-modules-gssapi-mit,libsasl2-2,libldap-2.4-2
Hope this help,
Denis
>
> There's an issue with kerberos.
>
> The keytab have to be local ?
> Or does the system use the server one ?
>
> Cyril
>
>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
Rowland Penny
> ldap_sasl_authid, I forget the $ sign
> ad_hostname, I use the server name instead of workstation's one
>
> But it still not working.
> But I have more information from sssd's log as I use debug_level = 9.
>
> May be an interesting one :
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
> select_principal_from_keytab] (0x0200): trying to select the most
> appropriate principal from keytab
> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
> (Thu Dec 19 18:47:56 2013)
> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
> suitable principal found in keytab
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
> (0x0010): fatal error initializing data providers
>
>
> The keytab have to be local ?
> Or does the system use the server one ?
>
> Cyril
>
>
>
>
keytab should be created '/etc/krb5.keytab' , are you using this keytab?
If unsure, have a look here:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup', ignore the
bit about about creating a keytab on the windows server.
Rowland
steve
No. The OP is using a samba-tool generated keytab
at /etc/krb5.sssd.keytab
For simplicity, could I suggest using the machine key that was generated
in /etc/krb5.conf when the client joined the domain? Where is this
anyway? On a DC or on a client box?
If you generated the keytab on the DC then of course it must be
transferred to the client using e.g. scp or a usb memory.
Steve
Cyril
Le 19/12/2013 19:08, Denis Cardon a écrit :
> Hi Cyril,
>
> ...snip...
>>>
>>>
>>
>> I made an error on :
>> ldap_sasl_authid, I forget the $ sign
>> ad_hostname, I use the server name instead of workstation's one
>>
>> But it still not working.
>> But I have more information from sssd's log as I use debug_level = 9.
>>
>> May be an interesting one :
>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>> select_principal_from_keytab] (0x0200): trying to select the most
>> appropriate principal from keytab
>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]] [find_principal_in_keytab]
>> (0x0020): krb5_kt_start_seq_get failed.
>> (Thu Dec 19 18:47:56 2013)
>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable
>> principal found in keytab
>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>> (0x0010): fatal error initializing data providers
>
> there is/was a bug in sssd initialisation where the ldap_sasl_authid has
> to be in the same case letter by letter as the entry in the keytab (even
> if you have mix case). I think the kerberos entry should be case insentive.
>
> About another bug earlier in the thread about having no provider or
> something like this, it is probably an error about missing sasl/ldap
> library. Those libraries are not required for sssd so they are not
> always in dependencies in packaging. Here are the entries we have in our
> in-house sssd package :
> libsasl2-modules-ldap,libsasl2-modules-gssapi-mit,libsasl2-2,libldap-2.4-2
>
> Hope this help,
>
> Denis
>
I change the ldap_sasl_authid to take care of the case letter.
And I check sssd package ... there were already all installed.
but there's still an error about kerberos : "No suitable principal found
in keytab"
Thanks Denis !
Cyril
Cyril
>>> ldap_sasl_authid, I forget the $ sign
>>> ad_hostname, I use the server name instead of workstation's one
>>>
>>> But it still not working.
>>> But I have more information from sssd's log as I use debug_level = 9.
>>>
>>> May be an interesting one :
>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>> select_principal_from_keytab] (0x0200): trying to select the most
>>> appropriate principal from keytab
>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>> (Thu Dec 19 18:47:56 2013)
>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>> suitable principal found in keytab
>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [load_backend_module]
>>> (0x0010): Error (2) in module (ad) initialization (sssm_ad_id_init)!
>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>> (0x0010): fatal error initializing data providers
>>>
>>>
>>> The keytab have to be local ?
>>> Or does the system use the server one ?
>>>
>>> Cyril
>>>
>>>
>>>
>>>
>> If you use samba, then, when you join the machine to the domain, a
>> keytab should be created '/etc/krb5.keytab' , are you using this keytab?
>
> No. The OP is using a samba-tool generated keytab
> at /etc/krb5.sssd.keytab
>
> For simplicity, could I suggest using the machine key that was generated
> in /etc/krb5.conf when the client joined the domain? Where is this
> anyway? On a DC or on a client box?
>
> If you generated the keytab on the DC then of course it must be
> transferred to the client using e.g. scp or a usb memory.
>
> Steve
>
>
>> If unsure, have a look here:
>> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
>>
>> For 'Windows 2008 Server Setup' read 'Samba 4 Server Setup', ignore the
>> bit about about creating a keytab on the windows server.
>>
>> Rowland
>
>
I had to reboot the workstation. Restarting the service sssd just hang.
And I still have the same error :
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
[sdap_set_sasl_options](0x2000): authid contains realm [SUBDOMAIN.DOMAIN.FR]
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
[sdap_set_sasl_options](0x0100): Will look for
myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
(Fri Dec 20 09:28:31 2013)
[sssd[be[default]]][select_principal_from_keytab] (0x0200): trying to
select the most appropriate principal from keytab
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]][find_principal_in_keytab]
(0x0020): krb5_kt_start_seq_get failed.
(Fri Dec 20 09:28:31 2013)
[sssd[be[default]]][select_principal_from_keytab] (0x0080): No suitable
principal found in keytab
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
[ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
[load_backend_module](0x0010): Error (2) in module (ad) initialization
(sssm_ad_id_init)!
(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
[be_process_init](0x0010): fatal error initializing data providers
If I run on the workstation :
kinit admini...@SUBDOMAIN.DOMAIN.FR
It ask me the admin password, then I have the warnig message aout
expiration.
kinit myserver$@SUBDOMAIN.DOMAIN.FR
It also ask me a password but the admin's one doesn't work.
Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
first before generating the keytab on the DC ?
Rowland Penny
Run ktutil on the client to find out:
sudo ktutil
ktutil: rkt /etc/krb5.sssd.keytab
ktutil: l
and before you ask :
ktutil: l <---- this is a lowercase L
and then post the result here.
Rowland
Cyril Lalinne
ktutil: rkt /etc/krb5.sssd.keytab
ktutil: l
---- ----
---------------------------------------------------------------------
1 1 myserver$@SUBDOMAIN.DOMAIN.FR
2 1 myserver$@SUBDOMAIN.DOMAIN.FR
3 1 myserver$@SUBDOMAIN.DOMAIN.FR
Cyril
Rowland Penny
remember that you copied it across from the server, so who does it
belong to and what are the permissions? I have samba running on my
client and joined the machine to the domain and /etc/krb5.keytab was
created, owned by root:root and rw only for root.
Looking at what you posted, it seems that it cannot find your principal
in the default keytab, does this mean that it is looking for
/etc/krb5.keytab ?
Rowland
Rowland Penny
'ldap_krb5_keytab = /etc/krb5.sssd.keytab'
To
'krb5_keytab = /etc/krb5.sssd.keytab'
Cyril Lalinne
> remember that you copied it across from the server, so who does it
> belong to and what are the permissions? I have samba running on my
> client and joined the machine to the domain and /etc/krb5.keytab was
> created, owned by root:root and rw only for root.
>
> Looking at what you posted, it seems that it cannot find your
> principal in the default keytab, does this mean that it is looking for
> /etc/krb5.keytab ?
>
> Rowland
# samba-tool domain exportkeytab /etc/krb5.sssd.keytab
--principal=myserver$
# chown root:root /etc/krb5.sssd.keytab
# chmod 600 /etc/krb5.sssd.keytab
In the sssd.conf file, on the workstation, I have the option :
ldap_krb5_keytab = /etc/krb5.sssd.keytab
But Steve also said :
in /etc/krb5.conf when the client joined the domain?"
Cyril
Rowland Penny
I do not think that you have to join the domain but it easier if you do.
Rowland
Cyril Lalinne
the workstation.
I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
That's why I'm surprise about the " when the client joined the domain"
Cyril
Cyril
>
> 'ldap_krb5_keytab = /etc/krb5.sssd.keytab'
>
> To
>
> 'krb5_keytab = /etc/krb5.sssd.keytab'
>
> Rowland
>
That's working now !!
(Fri Dec 20 11:24:08 2013) [sssd[be[default]]]
[sdap_set_sasl_options](0x2000): authid contains realm [SUBDOMAIN.DOMAIN.FR]
(Fri Dec 20 11:24:08 2013) [sssd[be[default]]]
[sdap_set_sasl_options](0x0100): Will look for srvdata$@AD.3D-COM.FR in
/etc/krb5.sssd.keytab
(Fri Dec 20 11:24:08 2013)
[sssd[be[default]]][select_principal_from_keytab] (0x0200): trying to
select the most appropriate principal from keytab
(Fri Dec 20 11:24:08 2013) [sssd[be[default]]][find_principal_in_keytab]
(0x4000): Trying to find principal myserver$@SUBDOMAIN.DOMAIN.FR in keytab.
(Fri Dec 20 11:24:08 2013) [sssd[be[default]]]
[match_principal](0x1000): Principal matched to the sample
(myserver$@SUBDOMAIN.DOMAIN.FR).
(Fri Dec 20 11:24:08 2013)
[sssd[be[default]]][select_principal_from_keytab] (0x0200): Selected
primary: myserver$
(Fri Dec 20 11:24:08 2013)
[sssd[be[default]]][select_principal_from_keytab] (0x0200): Selected
realm: SUBDOMAIN.DOMAIN.FR
(Fri Dec 20 11:24:08 2013) [sssd[be[default]]]
[be_process_init](0x2000): ACCESS backend target successfully loaded
from provider [ad].
gentent passwd
gentent group
give me domains users and group !!
Thanks Rowland
Thanks Steve
Thanks all
I'll do some more testing. Re-try on a fresh install
And I'll do a summary.
steve
> kinit myserver$@SUBDOMAIN.DOMAIN.FR
> It also ask me a password but the admin's one doesn't work.
>
kinit -k -t /etc/krb5.sssd.keytab myserver$
Could you post the output of that command?
> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
> first before generating the keytab on the DC ?
>
machine to the domain.
HTH
Steve
steve
> I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
>
Ah, so that's what you want to do. Using samba it's easy. Install enough
of samba to get the net command. Usually samba-client is enough:
Remove the myserver$ machine account on the DC.
On the client make a token /etc/samba/smb.conf:
workgroup = your.dc.hostname
realm = SUBDOMAIN.DOMAIN.FR
security = ADS
kerberos method = system keytab
Then it's just:
net ads join -UAdministrator
Cyril
> On Fri, 2013-12-20 at 11:26 +0100, Cyril Lalinne wrote:
>
>> I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
>>
>> That's why I'm surprise about the " when the client joined the domain"
>
>
> Ah, so that's what you want to do. Using samba it's easy. Install enough
> of samba to get the net command. Usually samba-client is enough:
>
> Remove the myserver$ machine account on the DC.
>
> On the client make a token /etc/samba/smb.conf:
>
> workgroup = your.dc.hostname
> realm = SUBDOMAIN.DOMAIN.FR
> security = ADS
> kerberos method = system keytab
>
> Then it's just:
> net ads join -UAdministrator
>
> HTH
> Steve
I want users to be able to logon on workstation (Linux and windows) with
their profile I create in the samba4 domain.
On windows that's already work fine.
I'm dealing with linux worsktation now with native tools
I'm trying to make it working with sssd and kerberos without samba.
Cyril
Cyril
> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>
>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>> It also ask me a password but the admin's one doesn't work.
>>
>
> Eh? You don't need a password. You already have the key!
> kinit -k -t /etc/krb5.sssd.keytab myserver$
>
> Could you post the output of that command?
>
It didn't ask me anypassword
>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>> first before generating the keytab on the DC ?
>>
> You already have the principal. It was created when you joined the
> machine to the domain.
>
> HTH
> Steve
Cyril
> I'll do some more testing. Re-try on a fresh install
> And I'll do a summary.
>
>
> Cyril
>
When installing libpam-sss,
there's a dependency libpam-pwquality (>= 1.2.2-1)
But I can't find it in ubuntu 12.04.
So I deactivate the ppa for ssd
And I install an older version of libnss-sss.
Now If I try to open a session on the workstation :
with "NT4Domain/MyUser"
Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=NT4Domain/MyUser
Dec 20 13:47:12 cyril-VB lightdm: pam_sss(lightdm:auth): received for
user NT4Domain/MyUser: 10 (User not known to the underlying
authentication module)
with "Myuser"
Dec 20 14:07:55 cyril-VB lightdm: pam_succeed_if(lightdm:auth):
requirement "user ingroup nopasswdlogin" not met by user "Myuser"
Dec 20 14:07:59 cyril-VB lightdm: pam_unix(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): received for
user Myuser: 9 (Authentication service cannot retrieve authentication info)
"Myuser" is an existing user on the domain and It does have Unix
attribut (UID and GID)
Is there any way to install libpam-pwquality manually or from any ppa ?
and then use the newer libnss-sss ?
steve
> Le 20/12/2013 14:29, steve a écrit :
> > On Fri, 2013-12-20 at 11:26 +0100, Cyril Lalinne wrote:
> >
> >> I'm trying to allow authentication with sssd via kerberos on the samba4 AD.
> >>
> >> That's why I'm surprise about the " when the client joined the domain"
> >
> >
> > Ah, so that's what you want to do. Using samba it's easy. Install enough
> > of samba to get the net command. Usually samba-client is enough:
> >
> > Remove the myserver$ machine account on the DC.
> >
> > On the client make a token /etc/samba/smb.conf:
> >
> > workgroup = your.dc.hostname
> > realm = SUBDOMAIN.DOMAIN.FR
> > security = ADS
> > kerberos method = system keytab
> >
> > Then it's just:
> > net ads join -UAdministrator
> >
> > HTH
> > Steve
>
>
> I'm not sure I explain myself very well.
>
> I want users to be able to logon on workstation (Linux and windows) with
> their profile I create in the samba4 domain.
> On windows that's already work fine.
> I'm dealing with linux worsktation now with native tools
>
> I'm trying to make it working with sssd and kerberos without samba.
>
> Cyril
>
>
also work and that that in turn will enable your users to authenticate
against your Samba4 DC.
Just from curiosity, how are you you sharing the user data on the Linux
clients? Do you have the user folder information in AD too?
Cheers,
Steve
steve
> Le 20/12/2013 14:19, steve a écrit :
> > On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
> >
> >> kinit myserver$@SUBDOMAIN.DOMAIN.FR
> >> It also ask me a password but the admin's one doesn't work.
> >>
> >
> > Eh? You don't need a password. You already have the key!
> > kinit -k -t /etc/krb5.sssd.keytab myserver$
> >
> > Could you post the output of that command?
> >
>
> That give me nothing. No error, no warning.
> It didn't ask me anypassword
>
OK. So it worked.
>
> >> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
> >> first before generating the keytab on the DC ?
> >>
> > You already have the principal. It was created when you joined the
> > machine to the domain.
>
> Ho, you mean joining the myserver machine !
>
No, I'm sorry. The post crossed. I now know that the machine is not
joined to the domain using samba. You do somehow however, have a key for
the machine.
And, from your other posts, your domain users can now authenticate on
the Linux client.
Cyril
It's not working fine with ubuntu 12.04 as I had to use a ppa for sssd
and i cannot install libpam-sss due to unresolved dependency.
So I'm using older libpam-sss but while authenticating, I get the error
:pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0
tty=:1 ruser= rhost= user=NT4Domain/MyUser
I'll try on Ubuntu 13.10.
Unless there's a way to install the dependency manually
> Just from curiosity, how are you you sharing the user data on the Linux
> clients? Do you have the user folder information in AD too?
>
> Cheers,
> Steve
>
It's not done, but I plan to use NFS and automount to link users's home
directory to a shared folder on the network.
On Windows workstation, the home folder is linked to a network letter.
I'm wondering if I can put in the same shared folder home directory and
windows profiles ...
Cyril
steve
> >
> > I'll do some more testing. Re-try on a fresh install
> > And I'll do a summary.
> >
> >
> > Cyril
> >
>
> I still have issue :
>
> When installing libpam-sss,
> there's a dependency libpam-pwquality (>= 1.2.2-1)
> But I can't find it in ubuntu 12.04.
>
> So I deactivate the ppa for ssd
>
> And I install an older version of libnss-sss.
>
> Now If I try to open a session on the workstation :
>
> with "NT4Domain/MyUser"
> user NT4Domain/MyUser: 10 (User not known to the underlying
> authentication module)
>
> with "Myuser"
> Dec 20 14:07:55 cyril-VB lightdm: pam_succeed_if(lightdm:auth):
> requirement "user ingroup nopasswdlogin" not met by user "Myuser"
> Dec 20 14:07:59 cyril-VB lightdm: pam_unix(lightdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): received for
> user Myuser: 9 (Authentication service cannot retrieve authentication info)
>
> "Myuser" is an existing user on the domain and It does have Unix
> attribut (UID and GID)
>
> Is there any way to install libpam-pwquality manually or from any ppa ?
> and then use the newer libnss-sss ?
>
>
> Cyril
>
It looks like you have a different /etc/pam.d/common-auth to the one you
originally posted. Can you post the latest version?
I'm not sure if
pam-auth-update
is new enough to include sssd yet, but cold you give it a go anyway?
Steve
steve
>
> Unless there's a way to install the dependency manually
I'd guess that the pam versions must match the sssd version. Maybe
that's one for the Ubuntu list or the guy who maintains the ppa?
>
>
> > Just from curiosity, how are you you sharing the user data on the Linux
> > clients? Do you have the user folder information in AD too?
> >
> > Cheers,
> > Steve
> >
>
> It's not done, but I plan to use NFS and automount to link users's home
> directory to a shared folder on the network.
> On Windows workstation, the home folder is linked to a network letter.
>
> I'm wondering if I can put in the same shared folder home directory and
> windows profiles ...
Yes, of course. I'd recommend automounted cifs. You then have as near as
damn it:
Linux workstation == Windows workstation
Good luck,
steve
>
> I'll try on Ubuntu 13.10.
> Unless there's a way to install the dependency manually
a challenge) then how about building sssd from source? You're then
guaranteed the correct version of pam sss to match the sssd binary.
1.11.13 was released yesterday:
https://fedorahosted.org/released/sssd/sssd-1.11.3.tar.gz
Cyril
> On Fri, 2013-12-20 at 15:00 +0100, Cyril wrote:
>> Unless there's a way to install the dependency manually
>
> that's one for the Ubuntu list or the guy who maintains the ppa?
>
>>
>>
>>> Just from curiosity, how are you you sharing the user data on the Linux
>>> clients? Do you have the user folder information in AD too?
>>>
>>> Cheers,
>>> Steve
>>>
>>
>> It's not done, but I plan to use NFS and automount to link users's home
>> directory to a shared folder on the network.
>> On Windows workstation, the home folder is linked to a network letter.
>>
>> I'm wondering if I can put in the same shared folder home directory and
>> windows profiles ...
>
> Yes, of course. I'd recommend automounted cifs. You then have as near as
> damn it:
> Linux workstation == Windows workstation
>
> Good luck,
> Steve
>
>
Cyril
Cyril
> On Fri, 2013-12-20 at 15:00 +0100, Cyril wrote:
>
>>
>> I'll try on Ubuntu 13.10.
>> Unless there's a way to install the dependency manually
>
> a challenge) then how about building sssd from source? You're then
> guaranteed the correct version of pam sss to match the sssd binary.
> 1.11.13 was released yesterday:
> https://fedorahosted.org/released/sssd/sssd-1.11.3.tar.gz
>
> Steve
>
>
I'm installing dependencies manually,but I don't think it will be stable.
I'll do that as the next attempt.
Cyril
> On Fri, 2013-12-20 at 14:48 +0100, Cyril wrote:
>>>
>>> I'll do some more testing. Re-try on a fresh install
>>> And I'll do a summary.
>>>
>>>
>>> Cyril
>>>
>>
>> I still have issue :
>>
>> When installing libpam-sss,
>> there's a dependency libpam-pwquality (>= 1.2.2-1)
>> But I can't find it in ubuntu 12.04.
>>
>> So I deactivate the ppa for ssd
>>
>> And I install an older version of libnss-sss.
>>
>> Now If I try to open a session on the workstation :
>>
>> with "NT4Domain/MyUser"
>> user NT4Domain/MyUser: 10 (User not known to the underlying
>> authentication module)
>>
>> with "Myuser"
>> Dec 20 14:07:55 cyril-VB lightdm: pam_succeed_if(lightdm:auth):
>> requirement "user ingroup nopasswdlogin" not met by user "Myuser"
>> Dec 20 14:07:59 cyril-VB lightdm: pam_unix(lightdm:auth): authentication
>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
>> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): authentication
>> failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=Myuser
>> Dec 20 14:07:59 cyril-VB lightdm: pam_sss(lightdm:auth): received for
>> user Myuser: 9 (Authentication service cannot retrieve authentication info)
>>
>> "Myuser" is an existing user on the domain and It does have Unix
>> attribut (UID and GID)
>>
>> Is there any way to install libpam-pwquality manually or from any ppa ?
>> and then use the newer libnss-sss ?
>>
>>
>> Cyril
>>
>
> Yep, OK. As I predicted, pam is the next issue.
>
> It looks like you have a different /etc/pam.d/common-auth to the one you
> originally posted. Can you post the latest version?
>
> I'm not sure if
> pam-auth-update
> is new enough to include sssd yet, but cold you give it a go anyway?
> Steve
>
>
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
steve
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth required pam_sss.so use_first_pass
I know Ubuntu like to do it a la Debian so maybe not take too much
notice of that, and anyway, you need a pam_sss.so which is sssd version
friendly first. We'll also need to look at session. Meanwhile, good luck
with the build.
Steve
Rowland Penny
> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>> Le 20/12/2013 14:19, steve a écrit :
>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>
>>>> kinit myserver$@SUBDOMAIN.DOMAIN.FR
>>>> It also ask me a password but the admin's one doesn't work.
>>>>
>>> Eh? You don't need a password. You already have the key!
>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>
>>> Could you post the output of that command?
>>>
>> That give me nothing. No error, no warning.
>> It didn't ask me anypassword
>>
> OK. So it worked.
>>>> Am-I suppose to create this principal myserver$@SUBDOMAIN.DOMAIN.FR
>>>> first before generating the keytab on the DC ?
>>>>
>>> You already have the principal. It was created when you joined the
>>> machine to the domain.
>> Ho, you mean joining the myserver machine !
>>
> No, I'm sorry. The post crossed. I now know that the machine is not
> joined to the domain using samba. You do somehow however, have a key for
> the machine.
>
> And, from your other posts, your domain users can now authenticate on
> the Linux client.
>
> Cheers,
> Steve
>
>
on Ubuntu precise, using the packages from Saucy ;-)
x86:
wget
http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_i386.deb
wget
http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_i386.deb
wget
http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
sudo apt-get install libcrack2
sudo dpkg -i libpwquality1_1.2.3-1_i386.deb
sudo dpkg -i libpam-pwquality_1.2.3-1_i386.deb
x86_64:
wget
http://fr.archive.ubuntu.com/ubuntu/pool/universe/libp/libpwquality/libpam-pwquality_1.2.3-1_amd64.deb
wget
http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality1_1.2.3-1_amd64.deb
wget
http://fr.archive.ubuntu.com/ubuntu/pool/main/libp/libpwquality/libpwquality-common_1.2.3-1_all.deb
sudo dpkg -i libpwquality-common_1.2.3-1_all.deb
sudo apt-get install libcrack2
sudo dpkg -i libpwquality1_1.2.3-1_amd64.deb
sudo dpkg -i libpam-pwquality_1.2.3-1_amd64.deb
and there you go!
Rowland
Cyril
I have the same issue.
I can do getent passwd and see domain users, but authentication at login
doesn't work.
I think there's still something wrong with my sssd.conf.
Here is the summary of what I done :
DC is CentOS 6.4
With SAMBA4 and a dhcp installed
DC Hostname : myserver
Realm et DNS domain name : subdomain.domain.fr
NT4 domain name : subdomain
IP : 192.168.1.7
Workstation is
Ubuntu 12.04 64Bit LTS
DHCP
I install :
sudo apt-get install sssd sssd-tools krb5-user libnss-sss libpam-sss
If ask, configure the realm in Uppercase
exemple : SUBDOMAIN.DOMAIN.FR
and check it /etc/krb5.conf
copy / create sssd.conf
Update /etc/hosts and /etc/hostname so it contain the FQDN
copy keytab from server
sudo scp root@myserver:/etc/krb5.sssd.keytab /etc/krb5.sssd.keytab
Update PAM :
sudo pam-auth-update
start sssd
Allow manuel login in LightDM
/etc/lightdm/lightdm.conf
or /etc/lightdm/lightdm.conf.d/10-ubuntu.conf
Append :
greeter-show-manual-login=true
I can see the workstation in the DNS zone
but not in the list of computer of the domain
Reboot and ..
Still not working :
lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0
euid=0 tty=:1 ruser= rhost= user=Myuser
lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
(Authentication service cannot retrieve authentication info)
in the auth.log file.
Cyril
Cyril
I already had a try and I have the same error when I use ubuntu 13.10 :
lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0
euid=0 tty=:1 ruser= rhost= user=Myuser
lightdm: pam_sss(lightdm:auth): received for user Myuser: 9
(Authentication service cannot retrieve authentication info)
in the auth.log file.
getent passwd works but not the authtication.
I suppose there's still something wrong with the sssd.conf file.
Rowland Penny
15) I find this in auth.log:
mdm[1843]: pam_krb5(mdm:auth): user rowland authenticated as
row...@HOME.LAN
Rowland
Cyril
have a principal rowland in the kerberos base.
I don't want to use this authentication, because that mean have two
databases : OpenLDAP and Kerberos.
I'm trying to authenticate with LDAP informations.
If I understand well, the kerberos layer is there to crypte
communication between sssd and AD (LDAP).
Cyril
Rowland Penny
a Samba4 server, just like you are.
If you do not have libpam-krb5 installed, just try installing it, you
never know, it just might cure your problems.
Rowland
Rowland Penny
>
> And you're right ! I'd rather have a try !!
> Back in a sec.
>
> Cyril
>
>
OK, I will give you that Kerberos is built into Samba4 but openLDAP
isn't, Samba4 uses AD, but what I meant was that I wasn't using seperate
databases, I was just using the same as you and as far as I could see
the only thing you were missing was libpam-krb5
Cyril
And that's working better with libpam-krb5. :-)
Now, at the login screen, I have a message about my password that will
expire.
But I can't open a session
lightdm: pam_krb5(lightdm:auth): user clalinne authenticated as
clal...@SUBDOMAIN.DOMAIN.FR
lightdm: gkr-pam: error looking up user information
lightdm: pam_unix(lightdm:account): could not identify user (from
getpwnam(clalinne))
Cyril
Rowland Penny
unixHomeDirectory attribute) exist on the client that they are trying to
log into ?
If not add this to the end of /etc/pam.d/common-session:
session required pam_mkhomedir.so skel=/etc/skel umask=0022
and install libpam-modules and then try again.
Rowland
Cyril Lalinne
steve
> I can do getent passwd and see domain users,
sssd.conf. Yet.
> but authentication at login
> doesn't work.
No, no. Absolutely not. It's pam that is not working now.
I believe that xmas has come early however elsewhere in the thread:)
Steve
L.P.H. van Belle
I dont know if anybody noticed the following
>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>
>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>> group: compat sss
>>>>>>>>>>> shadow: compat
>>>>>>>>>>>
>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>>>>> networks: files
Which can case resolving problems.
>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
change it to :
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: cyril....@3d-com.fr
>[mailto:samba-...@lists.samba.org] Namens Cyril
>Verzonden: vrijdag 20 december 2013 10:37
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Linux client of the domain - SSSD :
>authenticating via Kerberos
>
>Le 19/12/2013 19:16, steve a écrit :
>> On Thu, 2013-12-19 at 18:11 +0000, Rowland Penny wrote:
>>> On 19/12/13 18:00, Cyril wrote:
>>>> Le 19/12/2013 18:16, steve a écrit :
>>>>> On Thu, 2013-12-19 at 18:00 +0100, Cyril Lalinne wrote:
>>>>>> Le 19/12/2013 17:53, Rowland Penny a écrit :
>>>>>>> On 19/12/13 16:46, Cyril wrote:
>>>>>>>> Le 19/12/2013 17:42, Rowland Penny a écrit :
>>>>>>>>> On 19/12/13 16:22, steve wrote:
>>>>>>>>>> On Thu, 2013-12-19 at 16:17 +0000, Rowland Penny wrote:
>>>>>>>>>>> On 19/12/13 15:53, Cyril wrote:
>>>>>>>>>>>> Le 19/12/2013 16:05, steve a écrit :
>>>>>>>>>>>>> On Thu, 2013-12-19 at 14:27 +0100, Cyril wrote:
>>>>>>>>>>>>>> Le 18/12/2013 15:40, Cyril a écrit :
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I think I'm starting to understand how Linux
>client can be
>>>>>>>>>>>>>>> integrated
>>>>>>>>>>>>>>> into a samba domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tell me if I'm wrong :
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Linux clients don't need Samba for
>authentication, only the
>>>>>>>>>>>>>>> ldap
>>>>>>>>>>>>>>> part of
>>>>>>>>>>>>>>> samba.
>>>>>>>>>>>>>>> sssd through kerberos get information from ldap. If the
>>>>>>>>>>>>>>> user is
>>>>>>>>>>>>>>> known or
>>>>>>>>>>>>>>> get the right, he can log.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So why should I need to install winbind and
>samba4 on the
>>>>>>>>>>>>>>> linux
>>>>>>>>>>>>>>> client ?
>>>>>>>>>>>>>>> Is it only if I have a Windows AD ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>> Cyril
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I can't get sssd working and I don't know why.
>>>>>>>>>>>>> Hi
>>>>>>>>>>>>> Please post the censored content of:
>>>>>>>>>>>>> /etc/sssd/sssd.conf
>>>>>>>>>>>>> and the passwd and group greps of:
>>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>> and, for later:
>>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>> Steve
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> The workstation is an Ubuntu 12.04 LTS 64Bit
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/sssd/sssd.conf :
>>>>>>>>>>>>
>>>>>>>>>>>> [sssd]
>>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>>> domains = default
>>>>>>>>>>>>
>>>>>>>>>>>> [nss]
>>>>>>>>>>>>
>>>>>>>>>>>> [pam]
>>>>>>>>>>>>
>>>>>>>>>>>> [domain/default]
>>>>>>>>>>>> ad_hostname = myserver.sub-domain.domain.fr
>>>>>>>>>>>> ad_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>> ad_domain = sub-domain.domain.fr
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_schema = ad
>>>>>>>>>>>> id_provider = ad
>>>>>>>>>>>> access_provider = simple
>>>>>>>>>>>>
>>>>>>>>>>>> # on large directories, you may want to disable
>enumeration for
>>>>>>>>>>>> performance reasons
>>>>>>>>>>>> enumerate = true
>>>>>>>>>>>>
>>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>>> ldap_sasl_mech = gssapi
>>>>>>>>>>>> ldap_sasl_authid = myse...@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>> krb5_realm = SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>> krb5_server = myserver.sub-domain.domain.fr
>>>>>>>>>>>> krb5_kpasswd = myserver.sub-domain.domain.fr
>>>>>>>>>>>> ldap_krb5_keytab = /etc/krb5.sssd.keytab
>>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>>
>>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>>> ldap_uri = ldap://myserverIPadress
>>>>>>>>>>>> ldap_search_base = dc=subdomain,dc=domain,dc=fr
>>>>>>>>>>>>
>>>>>>>>>>>> dyndns_update=false
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>
>>>>>>>>>>>> hosts: files mdns4_minimal dns
>[NOTFOUND=return] mdns4
>>>>>>>>>>>> networks: files
>>>>>>>>>>>>
>>>>>>>>>>>> protocols: db files
>>>>>>>>>>>> services: db files
>>>>>>>>>>>> ethers: db files
>>>>>>>>>>>> rpc: db files
>>>>>>>>>>>>
>>>>>>>>>>>> netgroup: nis
>>>>>>>>>>>> sudoers: files sss
>>>>>>>>>>>>
>>>>>>>>>>>> /etc/pam.d/common-auth
>>>>>>>>>>>>
>>>>>>>>>>>> # here are the per-package modules (the "Primary" block)
>nullok_secure
>>>>>>>>>>>> auth requisite pam_deny.so
>>>>>>>>>>>> # prime the stack with a positive return value if
>there isn't one
>>>>>>>>>>>> already;
>>>>>>>>>>>> # this avoids us returning an error just because
>nothing sets a
>>>>>>>>>>>> success code
>>>>>>>>>>>> # since the modules above will each just jump around
>>>>>>>>>>>> auth required pam_permit.so
>>>>>>>>>>>> # and here are more per-package modules (the
>"Additional" block)
>>>>>>>>>>>> auth optional pam_cap.so
>>>>>>>>>>>> # end of pam-auth-update config
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Cyril
>>>>>>>>>>>>
>sssd.conf, here is a
>>>>>>>>>>> working (sanitized) version from the laptop I am
>typing on ;-)
>>>>>>>>>>>
>>>>>>>>>>> [sssd]
>>>>>>>>>>> config_file_version = 2
>>>>>>>>>>> domains = default
>>>>>>>>>>> services = nss, pam
>>>>>>>>>>>
>>>>>>>>>>> [nss]
>>>>>>>>>>>
>>>>>>>>>>> [pam]
>>>>>>>>>>>
>>>>>>>>>>> [domain/default]
>>>>>>>>>>> description = AD domain with Samba 4 server
>>>>>>>>>>> cache_credentials = true
>>>>>>>>>>> enumerate = true
>>>>>>>>>>> id_provider = ldap
>>>>>>>>>>> auth_provider = krb5
>>>>>>>>>>> chpass_provider = krb5
>>>>>>>>>>> access_provider = ldap
>>>>>>>>>>> autofs_provider = ldap
>>>>>>>>>>> sudo_provider = ldap
>>>>>>>>>>>
>>>>>>>>>>> krb5_server = your.Samba4server.FQDN
>>>>>>>>>>> krb5_kpasswd = your.Samba4server.FQDN
>>>>>>>>>>> krb5_realm = UPPERCASE.REALM
>>>>>>>>>>>
>>>>>>>>>>> ldap_referrals = false
>>>>>>>>>>> ldap_schema = rfc2307bis
>>>>>>>>>>> ldap_access_order = expire
>>>>>>>>>>> ldap_account_expire_policy = ad
>>>>>>>>>>> ldap_force_upper_case_realm = true
>>>>>>>>>>>
>>>>>>>>>>> ldap_user_object_class = user
>>>>>>>>>>> ldap_user_name = sAMAccountName
>>>>>>>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>>>>>>>> ldap_user_principal = userPrincipalName
>>>>>>>>>>>
>>>>>>>>>>> ldap_group_object_class = group
>>>>>>>>>>> ldap_group_name = sAMAccountName
>>>>>>>>>>>
>>>>>>>>>>> ldap_sasl_mech = GSSAPI
>>>>>>>>>>> ldap_sasl_authid = UPPERCASE_CLIENTNAME$@UPPERCASE.REALM
>>>>>>>>>>> ldap_krb5_init_creds = true
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>> @Rowland
>>>>>>>>>> Is the OP on sssd <= 1.9.x ?
>>>>>>>>>> Steve
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> He posted earlier that he was using Ubuntu 12.04, so
>I suggested
>>>>>>>>> that he
>>>>>>>>> used the sssd ppa. I believe that he is now using
>this ppa and if
>>>>>>>>> so, he
>>>>>>>>> should be using 1.11.1
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> Yes that's what I did.
>>>>>>>>
>>>>>>>> But I think Steve would like to know the version on
>the laptop you're
>>>>>>>> curently using.
>>>>>>>>
>>>>>>> Thanks for confirming that, but you are the 'OP' he
>referred to, OP =
>>>>>>> original poster
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>> :-)
>>>>>>
>>>>>> Cyril
>>>>>
>>>>> OK. Glad we've got that one sorted.
>>>>>
>>>>> Just for completeness, here's a working 1.11.1 sssd.conf
>with all the ad
>>>>> and autofs bits:
>>>>> [sssd]
>>>>> #debug_level = 9
>>>>> services = nss, pam, autofs
>>>>> config_file_version = 2
>>>>> domains = default
>>>>>
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>> [autofs]
>>>>>
>>>>> [domain/default]
>>>>> #debug_level = 9
>>>>> dyndns_update=true
>>>>> #dyndns_refresh_interval = 8
>>>>> ad_hostname = catral.hh3.site
>>>>> ad_server = hh16.hh3.site
>>>>> ad_domain = hh3.site
>>>>>
>>>>> ldap_schema = ad
>>>>> id_provider = ad
>>>>> access_provider = ad
>>>>> enumerate = false
>>>>> cache_credentials = true
>>>>> #entry_cache_timeout = 60
>>>>> auth_provider = ad
>>>>> chpass_provider = ad
>>>>> krb5_realm = hh3.site
>>>>> krb5_server = hh16.hh3.site
>>>>> krb5_kpasswd = hh16.hh3.site
>>>>>
>>>>> ldap_id_mapping=false
>>>>> ldap_referrals = false
>>>>> ldap_uri = ldap://hh16.hh3.site
>>>>> ldap_search_base = dc=hh3,dc=site
>>>>> ldap_user_object_class = user
>>>>> ldap_user_name = samAccountName
>>>>> ldap_user_uid_number = uidNumber
>>>>> ldap_user_gid_number = gidNumber
>>>>> ldap_user_home_directory = unixHomeDirectory
>>>>> ldap_user_shell = loginShell
>>>>> ldap_group_object_class = group
>>>>> ldap_group_search_base = dc=hh3,dc=site
>>>>> ldap_group_name = cn
>>>>> ldap_group_member = member
>>>>>
>>>>> ldap_sasl_mech = gssapi
>>>>> ldap_sasl_authid = CATRAL$@HH3.SITE
>>>>> krb5_keytab = /etc/krb5.keytab
>>>>> ldap_krb5_init_creds = true
>>>>>
>>>>> autofs_provider=ldap
>>>>>
>>>>> #ldap_autofs_search_base =
>>>>> CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site
>>>>> #ldap_autofs_map_object_class = nisMap
>>>>> #ldap_autofs_entry_object_class = nisObject
>>>>> #ldap_autofs_map_name = nisMapName
>>>>> #ldap_autofs_entry_key = cn
>>>>> #ldap_autofs_entry_value = nisMapEntry
>>>>>
>>>>> ldap_autofs_search_base = OU=automount,DC=hh3,DC=site
>>>>> ldap_autofs_map_object_class = automountMap
>>>>> ldap_autofs_entry_object_class = automount
>>>>> ldap_autofs_map_name = automountMapName
>>>>> ldap_autofs_entry_key = automountKey
>>>>> ldap_autofs_entry_value = automountInformation
>>>>>
>>>>>
>>>>> Please note that we must canonicalise IP's. We must use a
>DNS resolvable
>>>>> name, NOT a series of mumbers. I think.
>>>>>
>>>>> HTH
>>>>> Steve
>>>>>
>>>>>
>>>>
>>>> I made an error on :
>>>> ldap_sasl_authid, I forget the $ sign
>>>> ad_hostname, I use the server name instead of workstation's one
>>>>
>>>> But it still not working.
>>>> But I have more information from sssd's log as I use
>debug_level = 9.
>>>>
>>>> May be an interesting one :
>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]]
>>>> select_principal_from_keytab] (0x0200): trying to select the most
>>>> appropriate principal from keytab
>>>> (Thu Dec 19 18:47:52 2013) [sssd[be[default]]
>>>> [find_principal_in_keytab] (0x0020): krb5_kt_start_seq_get failed.
>>>> (Thu Dec 19 18:47:56 2013)
>>>> [sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>>>> suitable principal found in keytab
>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>>>> [ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]]
>[load_backend_module]
>>>> (0x0010): Error (2) in module (ad) initialization
>(sssm_ad_id_init)!
>>>> (Thu Dec 19 18:47:56 2013) [sssd[be[default]]] [be_process_init]
>>>> (0x0010): fatal error initializing data providers
>>>>
>>>> There's an issue with kerberos.
>>>>
>>>> The keytab have to be local ?
>>>> Or does the system use the server one ?
>>>>
>>>> Cyril
>>>>
>>>>
>>>>
>>>>
>>> If you use samba, then, when you join the machine to the domain, a
>>> keytab should be created '/etc/krb5.keytab' , are you using
>this keytab?
>>
>> No. The OP is using a samba-tool generated keytab
>> at /etc/krb5.sssd.keytab
>>
>> For simplicity, could I suggest using the machine key that
>was generated
>> in /etc/krb5.conf when the client joined the domain? Where is this
>> anyway? On a DC or on a client box?
>>
>> If you generated the keytab on the DC then of course it must be
>> transferred to the client using e.g. scp or a usb memory.
>>
>> Steve
>>
>>
>>> If unsure, have a look here:
>>>
>https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20au
>thenticate%20with%20a%20Windows%202008%20Domain%20Server
>>>
>>> For 'Windows 2008 Server Setup' read 'Samba 4 Server
>Setup', ignore the
>>> bit about about creating a keytab on the windows server.
>>>
>>> Rowland
>>
>>
>I copied the file /etc/krb5.sssd.keytab on the workstation.
>
>I had to reboot the workstation. Restarting the service sssd just hang.
>And I still have the same error :
>
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[sdap_set_sasl_options](0x2000): authid contains realm
>[SUBDOMAIN.DOMAIN.FR]
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[sdap_set_sasl_options](0x0100): Will look for
>myserver$@SUBDOMAIN.DOMAIN.FR in default keytab
>(Fri Dec 20 09:28:31 2013)
>[sssd[be[default]]][select_principal_from_keytab] (0x0200): trying to
>select the most appropriate principal from keytab
>(Fri Dec 20 09:28:31 2013)
>[sssd[be[default]]][find_principal_in_keytab]
>(0x0020): krb5_kt_start_seq_get failed.
>(Fri Dec 20 09:28:31 2013)
>[sssd[be[default]]][select_principal_from_keytab] (0x0080): No
>suitable
>principal found in keytab
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[ad_set_ad_id_options](0x0040): Cannot set the SASL-related options
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[load_backend_module](0x0010): Error (2) in module (ad) initialization
>(sssm_ad_id_init)!
>(Fri Dec 20 09:28:31 2013) [sssd[be[default]]]
>[be_process_init](0x0010): fatal error initializing data providers
>
>If I run on the workstation :
>kinit admini...@SUBDOMAIN.DOMAIN.FR
>It ask me the admin password, then I have the warnig message aout
>expiration.
>first before generating the keytab on the DC ?
>
Cyril
> On 20/12/13 16:56, Cyril wrote:
>> Le 20/12/2013 17:41, Rowland Penny a écrit :
>>> On 20/12/13 16:37, Cyril Lalinne wrote:
>>>>
>>>>> On 20/12/13 16:28, Cyril wrote:
>>>>>> Le 20/12/2013 17:19, Rowland Penny a écrit :
>>>>>>> On 20/12/13 16:08, Cyril wrote:
>>>>>>>> Le 20/12/2013 16:59, Rowland Penny a écrit :
>>>>>>>>> On 20/12/13 14:00, steve wrote:
>>>>>>>>>> On Fri, 2013-12-20 at 14:40 +0100, Cyril wrote:
>>>>>>>>>>> Le 20/12/2013 14:19, steve a écrit :
>>>>>>>>>>>> On Fri, 2013-12-20 at 10:37 +0100, Cyril wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> It also ask me a password but the admin's one doesn't work.
>>>>>>>>>>>>>
>>>>>>>>>>>> kinit -k -t /etc/krb5.sssd.keytab myserver$
>>>>>>>>>>>>
>>>>>>>>>>>> Could you post the output of that command?
>>>>>>>>>>>>
>>>>>>>>>>> That give me nothing. No error, no warning.
>>>>>>>>>>> It didn't ask me anypassword
>>>>>>>>>>>
>>>>>>>>>> OK. So it worked.
>>>>>>>>>>>>> myserver$@SUBDOMAIN.DOMAIN.FR
>>>>>>>>>>>>> first before generating the keytab on the DC ?
>>>>>>>>>>>>>
>>> isn't, Samba4 uses AD, but what I meant was that I wasn't using seperate
>>> databases, I was just using the same as you and as far as I could see
>>> the only thing you were missing was libpam-krb5
>>>
>>> Rowland
>>>
>> Ok ... I tough there were an openLDAP inside.
>>
>> And that's working better with libpam-krb5. :-)
>>
>> Now, at the login screen, I have a message about my password that will
>> expire.
>> But I can't open a session
>> lightdm: pam_krb5(lightdm:auth): user clalinne authenticated as
>> clal...@SUBDOMAIN.DOMAIN.FR
>> lightdm: gkr-pam: error looking up user information
>> lightdm: pam_unix(lightdm:account): could not identify user (from
>> getpwnam(clalinne))
>>
>> Cyril
>>
> OK, does the users unix home directory (as set in the users
> unixHomeDirectory attribute) exist on the client that they are trying to
> log into ?
>
> If not add this to the end of /etc/pam.d/common-session:
>
> session required pam_mkhomedir.so skel=/etc/skel umask=0022
>
> and install libpam-modules and then try again.
>
> Rowland
>
May be I should have update PAM and check PAM files before login out : I
didn't runpam-auth-update.
As this Christmas tree is bigger and bigger ...
I'll copy/paste your advices / explanation on a page and I'll start from
scratch on another VM.
Let's see if I can be as near to the solution as I was ...
steve
> I did it, then I wasn't able to login even with local users.
> May be I should have update PAM and check PAM files before login out : I
> didn't runpam-auth-update.
keep a spare root terminal or six open. Backup a working /etc/pam.d and
be prepared to rescue boot to restore it.
Cheers,
Steve
Cyril
>
>
> I dont know if anybody noticed the following
>
>>>>>>>>>>>> /etc/nsswitch.conf
>>>>>>>>>>>>
>>>>>>>>>>>> passwd: compat sss
>>>>>>>>>>>> group: compat sss
>>>>>>>>>>>> shadow: compat
>>>>>>>>>>>>
>>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
>>>>>>>>>>>> networks: files
>
> Which can case resolving problems.
>>>>>>>>>>>> hosts: files mdns4_minimal dns [NOTFOUND=return] mdns4
> change it to :
> hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
>
> greetz,
>
> Louis
>
But that can help ...
Thanks
Cyril
>> It also ask me a password but the admin's one doesn't work.
>>
>> first before generating the keytab on the DC ?
>>