Debian 13 (Trixie) Compatibility Changes for linuxmuster-linuxclient7

[HappyBasher]

Realated branch debian13

Summary created with help of Claude AI (Sonnet 4.5)

Debian 13 (Trixie) Compatibility Changes for linuxmuster-linuxclient7

Summary

Debian 13 changes the Kerberos ticket handling in PAM/SSSD, breaking the existing Active Directory authentication workflow. These modifications restore full functionality.

Required Changes

1. /usr/lib/python3/dist-packages/linuxmusterLinuxclient7/ldapHelper.py

   • Problem:
     User Kerberos tickets are not available when LDAP queries are needed.

   • Solution:

     • Implement machine account fallback for LDAP authentication.
     • Changes in _connect() function:
       • When running as root: Use machine account Kerberos ticket (kinit -k HOSTNAME$@REALM)
       • When running as user: Use user's ticket if available (/tmp/krb5cc_<UID>)
       • Fall back gracefully if tickets are unavailable

   • Key code:
     python

     # For root processes
     if os.geteuid() == 0:
         kinit_result = subprocess.run(
             ['kinit', '-k', machine_principal],
             env={'KRB5CCNAME': 'FILE:/tmp/krb5cc_0'}
         )
         os.environ['KRB5CCNAME'] = 'FILE:/tmp/krb5cc_0'
         # Then perform GSSAPI bind
     

2. /usr/share/linuxmuster-linuxclient7/scripts/onLoginLogoutAsRoot

   • Problem:
     PAM does not create Kerberos tickets for users during login.

   • Solution:
     Create Kerberos tickets before the onLogin script runs.

   • Implementation:
     Add ticket creation logic in the if pamType == "open_session" block:

     • Check if valid ticket exists at /tmp/krb5cc_<UID>
     • Try to copy from SSSD cache (/var/lib/sss/db/ccache_<username>)
     • Try to copy from PAM-created tickets (/tmp/krb5cc_<UID>_*)
     • Fallback: Use machine account ticket for LDAP access

   • Critical for:

     • LDAP queries with GSSAPI
     • Mounting CIFS shares with sec=krb5
     • GPO processing

3. /etc/pam.d/common-auth

   • Problem:
     PAM authentication stack does not trigger Kerberos ticket creation.

   • Solution:
     Configure pam_krb5 as primary authentication method.

   • Configuration:

     auth    sufficient    pam_krb5.so minimum_uid=1000 ccache=/tmp/krb5cc_%u forwardable
     auth    [success=1 default=ignore]      pam_unix.so nullok try_first_pass
     auth    [success=1 default=ignore]      pam_sss.so use_first_pass
     auth    required                        pam_deny.so
     

   • Key points:

     • pam_krb5.so must be sufficient (not optional)
     • Explicit ccache=/tmp/krb5cc_%u parameter required
     • forwardable flag enables ticket forwarding

4. /etc/pam.d/common-session

   • Problem:
     Session setup does not maintain Kerberos tickets.

   • Solution:
     Add pam_krb5 session handler.

   • Configuration:

     session optional        pam_krb5.so minimum_uid=1000 ccache=/tmp/krb5cc_%u
     

5. /etc/sssd/sssd.conf

   • Problem:
     SSSD does not store Kerberos tickets in expected location.

   • Solution:
     Configure explicit credential cache settings.

   • Required parameters:

     [domain/linuxmuster.lan]
     krb5_store_password_if_offline = True
     krb5_renewable_lifetime = 7d
     krb5_renew_interval = 3600
     krb5_ccache_dir = /tmp
     krb5_ccname_template = FILE:/tmp/krb5cc_%u
     ldap_krb5_keytab = /etc/krb5.keytab
     krb5_keytab = /etc/krb5.keytab
     auth_provider = ad
     ldap_tls_reqcert = allow
     

   • Critical settings:

     • krb5_ccname_template must use absolute path (not %d)
     • krb5_keytab must point to system keytab

6. /etc/krb5.conf

   • Problem:
     Default Kerberos configuration does not create file-based tickets.

   • Solution:
     Enforce FILE-based credential cache.

   • Configuration:

     [libdefaults]
         default_realm = LINUXMUSTER.LAN
         dns_lookup_realm = false
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true
         rdns = false
         default_ccache_name = FILE:/tmp/krb5cc_%{uid}
     
     [realms]
         LINUXMUSTER.LAN = {
             kdc = server.linuxmuster.lan
             admin_server = server.linuxmuster.lan
             default_domain = linuxmuster.lan
         }
     
     [domain_realm]
         .linuxmuster.lan = LINUXMUSTER.LAN
         linuxmuster.lan = LINUXMUSTER.LAN
     

7. Optional: /etc/krb5.conf.d/pam_krb5.conf

   • Problem:
     pam_krb5 needs explicit configuration for ticket storage.

   • Solution:
     Create pam_krb5-specific configuration.

   • Content:

     [appdefaults]
         pam = {
             forwardable = true
             validate = false
             ccache = FILE:/tmp/krb5cc_%u
             existing_ticket = true
         }
     

Installation Steps

• Install required packages:
  bash

  apt install libpam-krb5
  

• Apply changes to Python files (ldapHelper.py, onLoginLogoutAsRoot)

• Update PAM configuration files (common-auth, common-session)

• Update SSSD and Kerberos configuration

• Restart services:
  bash

  systemctl restart sssd
  systemctl restart gdm  # if using graphical login
  

Testing

bash

# Test domain join
sudo linuxmuster-linuxclient7 setup

# Test user login
su - username@linuxmuster.lan

# Verify Kerberos ticket
klist

# Should show:
# Ticket cache: FILE:/tmp/krb5cc_<UID>
# Default principal: username@LINUXMUSTER.LAN

# Test LDAP connectivity (in onLogin script logs)
# Should NOT show "Cannot talk to LDAP" errors

[HappyBasher]

KVNO also plays a role in this context (linuxmuster/linuxmuster-linbo7#142).

[HappyBasher]

Issue is deprecated.