[Freeipa-users] Samba Authentication progres

Wed Dec 30 16:06:15 UTC 2015

He Alexander!

I saw your post some time form some time ago on your G+ page and I see
you guys are really making a lot of progres, there is a lot todo, but
it's great, really!

What you say is right, but I thought this was fixed by the newer SSSD
package from 1.12.2+ or so, need to check that out.

For the moment I cannot move to CentOS for this machine, I can
actually add another VM for Samba with CentOS, but also here I had an
issue in the past, CentOS 7 and IPA 4.

Which version should be working, so Distro (I prefer CentOS), IPA,
SSSD and Samba ?

If I know those, I can fire another test in minutes :)

Thanks and have a great new year ! (With MIT!)

Matt

2015-12-30 16:38 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Wed, 30 Dec 2015, Matt . wrote:
>>
>> Hi John,
>>
>> With which OS, package version and config ? On Ubuntu 15.10 I'm not
>> able it seems.
>
> That is purely issue of Ubuntu packaging:
> - Samba in Ubuntu 15.10 is built provide and use libwbclient.so.0.11
> - SSSD in Ubuntu 15.10 is built to provide libwbclient.so.0.12
>   -8<-8<-8<-
> root at u1510:~# ls -la /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
> -rw-r--r-- 1 root root 43216 Nov 12 18:08
> /usr/lib/x86_64-linux-gnu/libwbclient.so.0.11
> root at u1510:~# ls -la
> /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0 -rw-r--r-- 1
> root root 35032 Sep  7 13:50
> /usr/lib/x86_64-linux-gnu/sssd/modules/libwbclient.so.0.12.0
>   ->8->8->8-
> - There are no alternatives configured to switch libwbclient to use
>   SSSD's version (Ubuntu packaging of Samba doesn't really know that
>   there could be an alternative implementation of libwbclient)
>
> So you Samba wouldn't be able to use the libwbclient provided by SSSD
> directly without special tricks or rebuilding.
>
> Furthermore, - Samba in Ubuntu 15.10 is built with Heimdal Kerberos, SSSD is
> built
>   with MIT Kerberos. When you enroll Ubuntu 15.10 client into FreeIPA,
>   it configures /etc/krb5.conf according to use of MIT Kerberos,
>   including default ccache location to be in the kernel keyring:
>   -8<-8<-8<-
> root at u1510:~# cat /etc/krb5.conf|grep default_ccache_name
>  default_ccache_name = KEYRING:persistent:%{uid}
>   ->8->8->8-
>
> This means that Samba will not be able to see default credentials cache
> as set up by SSSD for the user. Also, if you change default_ccache_name
> to be somewhere on file system, like FILE:/tmp/krb5cc_%{uid}, MIT
> Kerberos has some differences in the internal format of the credentials
> cache and applications compiled against Heimdal kerberos library will
> not be able to see some of the extended details in that ccache. While
> Heimdal and MIT Kerberos are mostly compatible on the wire, there are no
> promises of compatibility here for the credentials caches beyond the
> basics.
>
> Also, libldap is built against Heimdal in Ubuntu 15.10. This means that
> whenever SSSD starts using some advanced features provided by MIT
> Kerberos, LDAP libraries might fail to pick them up for SASL GSSAPI
> authentication. In most cases this would probably work fine but for
> cases like using kernel keyring it would fail miserably as well.
>
> So, really, there are issues with packaging that you might overcome by
> doing manual work of symlinking proper libraries like we did in Fedora
> in coordination between Samba and SSSD packages, but things still might
> not work unless you downgrade a common base to features supported by
> both Heimdal and MIT Kerberos. There are also practical issues of SSSD's
> ldap helper loading both MIT and Heimdal Kerberos code in the same
> process instance -- which is a disaster to happen when a function with
> the same name from one library is called on a structure allocated by
> another library.
>
> A proper solution would be to get Canonical more involved into the work
> we do with move of Samba to use MIT Kerberos for Samba AD as lack of MIT
> Kerberos support in Samba AD is what forces Debian and Ubuntu to stick
> to Heimdal (and Fedora to abstain from packaging Samba AD flavor for
> several years to avoid using Heimdal instead of MIT Kerberos). Until
> that happens, using Fedora/CentOS/RHEL is a better choice.
>
> --
> / Alexander Bokovoy