This is my configuration for now:
Following this instructions:
http://trac.zentyal.org/wiki/Documentation/Community/Development/sssdMy /etc/krb5.conf looks like this:
[libdefaults]
default_realm = <% kerberos realm %>
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
preferred_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
...
After installing sssd and heimdal-clients, create /etc/sssd/sssd.conf, set permissions to 600, this is my config:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = SOLARIS
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3
[pam]
reconnection_retries = 3
offline_credentials_expiration = 0
[domain/SOLARIS]
description = LDAP Domain with AD Server
debug_level = 9
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://deep-thought.solaris.home:390
ldap_search_base = dc=solaris,dc=home
ldap_schema = rfc2307bis
enumerate = True
cache_credentials = True
ldap_default_bind_dn = cn=zentyal,dc=solaris,dc=home
ldap_default_authtok_type = password
ldap_default_authtok = mypasswordfoundinldap
krb5_server = deep-thought.solaris.home:8880
krb5_realm = SOLARIS.HOME
I had to open "LDAP" in the firewall, because ldap default port 389 was open, but 390 was filtered.
This is my /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
netgroup: nis sss
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Additionally I added this lines to my /etc/pam.d/common-session:
session optional pam_umask.so
session optional pam_mkhomedir.so skel = /etc/skel/ mask=0077
If a user logs in the first time, a home directory will be created.
After a restart of the sssd I recognized, that sssd resolved the external ip address of my server so I configured my /etc/hosts like this, to force resolving the internal ip address:
192.168.0.200 deep-thought.solaris.home
Maybe I can solve this problem in a different way?
With
getent passwd
the users on just only configured on the server appeared.
With kinit
username@DOMAIN.NAME I can log in. With klist I can list the kerberos ticket.
Now I can log in with a servers user, it's possible to log in offline, too.
Maybe this configuration has to be optimized, but I'm lucky, that it works for the moment.
some things are not solved, yet. For example, I cannot see nor change file or directory permissions of a samba share. Only "unknown" is displayed for user, group or permission in my file manager. Same on my windows box.
Any idea what might be wrong there?
Thanks a lot,
Ralf
(hope, I didn't forgot something)