Experiences with sssd?

[zentypenguin]

Hallo,

does anybody has positive experiences with sssd to connect a Linux box to the Zentyal server?

I played around for a while, but I wasn't successful, yet.

I can get a Kerberos ticket for my user with kinit and klist, but nothing else for the moment.

What do I have to do to make the following work:

- Login with a Zentyal user
- Access to its folders on the server
- Possibility to login offline, without a connection to the server (laptop)
- maybe more ...

Thank you for your hints,

Ralf

[Marcus]

Hello zentypenguin,

Please excuse my ignorance but...  What is a sssd ?

Best,

Marcus

[zentypenguin]

Hi, Marcus,

sssd means System Security Services Daemon.

I found a hint some month ago in the Zentyal wiki and I thought, it fits to my needs, but after a while, the link was broken. Now, last week, I recognized it again here:

http://trac.zentyal.org/wiki/Documentation/Community/Development/sssd

Btw. The link is broken here:

http://trac.zentyal.org/wiki/Documentation/Community/Document/SingleZentyal#LinuxClientconfiguration

Maybe somebody can fix it?

So, last weekend I start to configure and I was successful. Using a LMDE-Client, a user configured on the Zentyal server is able to login. Now I try do write a documentation about my experiences and, when I solved some other problems I found, I will try to write a howto.

If I get the time, I will post my first experiences here this evening.

Have a nice day,

Ralf

[zentypenguin]

This is my configuration for now:

Following this instructions: http://trac.zentyal.org/wiki/Documentation/Community/Development/sssd

My /etc/krb5.conf looks like this:

Code: [Select]

[libdefaults]
    default_realm = <% kerberos realm %>
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    preferred_enctypes   = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
...

After installing sssd and heimdal-clients, create /etc/sssd/sssd.conf, set permissions to 600, this is my config:

Code: [Select]

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = SOLARIS

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3

[pam]
reconnection_retries = 3
offline_credentials_expiration = 0

[domain/SOLARIS]
description = LDAP Domain with AD Server
debug_level = 9

min_id = 1000

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://deep-thought.solaris.home:390
ldap_search_base = dc=solaris,dc=home
ldap_schema = rfc2307bis
enumerate = True
cache_credentials = True
ldap_default_bind_dn = cn=zentyal,dc=solaris,dc=home
ldap_default_authtok_type = password
ldap_default_authtok = mypasswordfoundinldap

krb5_server = deep-thought.solaris.home:8880
krb5_realm = SOLARIS.HOME

I had to open "LDAP" in the firewall, because ldap default port 389 was open, but 390 was filtered.

This is my /etc/nsswitch.conf:

Code: [Select]

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat sss

netgroup:       nis sss

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Additionally I added this lines to my /etc/pam.d/common-session:

Code: [Select]

session optional pam_umask.so
session optional pam_mkhomedir.so skel = /etc/skel/ mask=0077
If a user logs in the first time, a home directory will be created.

After a restart of the sssd I recognized, that sssd resolved the external ip address of my server so I configured my /etc/hosts like this, to force resolving the internal ip address:

Code: [Select]

192.168.0.200 deep-thought.solaris.home
Maybe I can solve this problem in a different way?

With

Code: [Select]

getent passwdthe users on just only configured on the server appeared.

With kinit username@DOMAIN.NAME I can log in. With klist I can list the kerberos ticket.

Now I can log in with a servers user, it's possible to log in offline, too.

Maybe this configuration has to be optimized, but I'm lucky, that it works for the moment.

some things are not solved, yet. For example, I cannot see nor change file or directory permissions of a samba share. Only "unknown" is displayed for user, group or permission in my file manager. Same on my windows box.

Any idea what might be wrong there?

Thanks a lot,

Ralf

(hope, I didn't forgot something)