Performing verification for Jammy.
I set up a Samba Active Directory KDC on a Focal Server by:
You will need a 20.04 server instance, and a 20.04 Desktop instance.
1) Create a fresh 20.04 server instance
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind
krb5-kdc libpam-krb5
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307
--dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA
--adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.199
search SAMBA
EOF
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389
samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) smbclient //localhost/netlogon -UAdministrator -c 'ls'
Password for [SAMBA\Administrator]:
. D 0 Tue Apr 8 03:17:16 2025
.. D 0 Tue Apr 8 03:17:18 2025
9974088 blocks of size 1024. 7847840 blocks available
25) kinit administrator
Password for [email protected]:
Warning: Your password will expire in 41 days on Mon Apr 08 13:20:04 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
04/08/25 03:20:04 04/08/25 13:20:04
krbtgt/[email protected]
renew until 04/09/25 03:20:00
27)
Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) $ sudo samba-tool user create user1 --unix-home /home/user1 --login-shell
/bin/bash --uid-number 10000 --gid-number 10000 --nis-domain samba-dc
New Password:
Retype Password:
User 'user1' added successfully
I then made a 22.04 Client and ran:
$ sudo apt install realmd smbclient
$ sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.199 samba-dc samba-dc.example.com
$ sudo realm join --user=Administrator SAMBA-DC.EXAMPLE.COM
$ getent passwd [email protected]
[email protected]:*:577001104:577000513:user1:/home/user1:/bin/bash
$ groups [email protected]
[email protected] : domain [email protected]
Okay, we currently have:
$ apt-cache policy sssd | grep Installed
Installed: 2.6.3-1ubuntu3.4
from jammy-updates installed.
$ sudo apt install krb5-user
samba-dc samba-dc.example.com
$ kinit [email protected]
Password for [email protected]:
Warning: Your password will expire in 41 days on Tue May 20 03:42:08 2025
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
04/08/25 04:13:56 04/08/25 14:13:56
krbtgt/[email protected]
renew until 04/09/25 04:13:53
I edited /usr/share/pam-configs/sss-gssapi to have:
Name: SSS GSSAPI authentication
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss_gss.so debug
Auth-Initial:
[success=end default=ignore] pam_sss_gss.so debug
$ sudo pam-auth-update
add to /etc/sssd/sssd.conf under the kerberos realm/domain section, restart sssd
[domain/realm section]
pam_gssapi_services = sudo, sudo-i
[pam]
pam_response_filter = ENV:KRB5CCNAME
# add yourself to the /etc/sudoers.d/user_[username]
user1 ALL=(ALL) ALL
$ unset KRB5CCNAME
$ echo $KRB5CCNAME
$
KRB5CCNAME is not set.
$ sudo -i
pam_sss_gss: sss_cli_getenv() call failed [2]: No such file or directory
pam_sss_gss: User not found
[sudo] password for user1:
sudo: a password is required
Okay, I can reproduce the issue.
$ export KRB5CCNAME=/tmp/krb5cc_1000
$ sudo -i
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 10000
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: [email protected]
pam_sss_gss: User domain: SAMBA-DC.EXAMPLE.COM
pam_sss_gss: User principal:
pam_sss_gss: Target name: SAMBA-DC.EXAMPLE.COM
pam_sss_gss: Using ccache: default
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 10000 to 0
pam_sss_gss: Authentication successful
Things start working with KRB5CCNAME set.
I then enabled -proposed and installed sssd 2.6.3-1ubuntu3.5.
$ unset KRB5CCNAME
$ echo $KRB5CCNAME
$
KRB5CCNAME is not set.
$ sudo -i
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 10000
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: [email protected]
pam_sss_gss: User domain: SAMBA-DC.EXAMPLE.COM
pam_sss_gss: User principal:
pam_sss_gss: Target name: SAMBA-DC.EXAMPLE.COM
pam_sss_gss: Using ccache: default
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 10000 to 0
pam_sss_gss: Authentication successful
$ export KRB5CCNAME=/tmp/krb5cc_1000
$ sudo -i
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 10000
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: [email protected]
pam_sss_gss: User domain: SAMBA-DC.EXAMPLE.COM
pam_sss_gss: User principal:
pam_sss_gss: Target name: SAMBA-DC.EXAMPLE.COM
pam_sss_gss: Using ccache: default
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 10000 to 0
pam_sss_gss: Authentication successful
From my testing, sssd 2.6.3-1ubuntu3.5 from -proposed fixes the issue.
Karl has also tested the -proposed package and it works for him as well.
Happy to mark verified for jammy.
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2103623
Title:
pam_sss_gss fails to work when KRB5CCNAME is not set
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2103623/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
