[Samba] Problem with Active Directory authentication
Data Control Systems - Mike Elkevizth
mike at datacontrolsystems.com
Fri Jun 10 19:14:40 UTC 2016
Hi,
You need to make sure that the user has the rfc2307 "loginShell:" attribute
set. See
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
for how to set it.
Mike E.
On Fri, Jun 10, 2016 at 2:11 PM, Kaplan, Andrew H. <AHKAPLAN at partners.org>
wrote:
> Hello --
>
> The version of Samba that I am running on the server is the 4.3.9 Ubuntu
> package.
>
> To that end, I reconfigured the smb.conf file to reflect the entries
> listed in your e-mail.
>
> I added the syntax: default shell = /bin/bash to the smb.conf file, and
> restarted the samba and winbind daemons.
> Unfortunately, the getent passwd command indicated the /bin/false shell
> was still the default.
>
> What else do I need to do in order to correct this?
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com
> ]
> *Sent:* Friday, June 10, 2016 1:40 PM
> *To:* Kaplan, Andrew H.; samba at lists.samba.org
> *Cc:* Rowland penny
> *Subject:* Re: [Samba] Problem with Active Directory authentication
>
> Hi,
>
> What version of Samba are you running (samba --version)? Some of the
> smb.conf parameters have changed in more recent versions. I'm running the
> standard version supplied with Ubuntu which is currently 4.3.9. My
> configuration on member servers is as follows:
>
> [global]
> # Base options
> workgroup = <NETBIOS DOMAIN>
> realm = <AD DOMAIN>
> netbios name = <THIS MACHINE'S NETBIOS NAME>
> security = ADS
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 3000000-3999999
>
> idmap config for domain <NETBIOS DOMAIN>
> idmap config <NETBIOS DOMAIN>:backend = ad
> idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
> idmap config <NETBIOS DOMAIN>:range = 10000-20000
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = yes
>
> # Log options
> log level = 1
>
> I think it looks like you're real issue now is the /bin/false shell, which
> is the default if it isn't specifically set. The newer way to set the
> shell is using rfc2307 attributes. See
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC.
> With a configuration similar to mine, and the correct shell set up in the
> rfc2307 attributes for the user, I think you'll be all set.
>
> Mike E.
>
> On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <AHKAPLAN at partners.org>
> wrote:
>
>> Hello --
>>
>> I removed the ldap and sssd packages from the server, and I am trying to
>> get winbind to work on the system.
>>
>> The configuration of the /etc/samba/smb.conf file's global section is the
>> following:
>>
>> [global]
>>
>> ## Browsing/Identification ###
>>
>> # Change this to the workgroup/NT-domain name your Samba server will part
>> of
>> security = ads
>> realm = <domain name>
>> workgroup = <domain>
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /home/%D/%U
>> template shell = /bin/bash
>> client use spnego = yes
>> client ntlmv2 auth =yes
>> encrypt passwords = yes
>> winbind use default domain = yes
>> restrict anonymous = 2
>>
>> While that of the /etc/nsswitch.conf file reads as follows:
>>
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>>
>> hosts: files dns
>> ...
>>
>> The /etc/krb5.conf file has the domain name in capital letters for the
>> default_realm entry in capital letters.
>>
>> I was able to join the server with the domain.
>>
>> When I ran the getent <username>@<DOMAINNAME> command, the output was the
>> following:
>>
>> <DOMAINNAME>\<username>:*:10000:10005:<lastname>,
>> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>>
>> I attempted to log into the system via ssh using the following command
>> syntax:
>>
>> ssh -l <username>@<DOMAINNAME> <server fqdn>
>>
>> The connection was made, but it was immediately closed. I am guessing the
>> /bin/false shell could be what is causing the problem.
>>
>> The auth.log file also had the following entries:
>>
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth):
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
>> microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>> getting password (0x00000388)
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>> pam_get_item returned a password
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user
>> '<DOMAINNAME>\<username>' granted access
>> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for
>> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>> session opened for user <DOMAINNAME>\<username> by (uid=0)
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session):
>> Failed to create session: No such file or directory
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>> unknown option: umask
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>> unknown option: 0022
>> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip
>> address>: disconnected by user
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>> session closed for user <DOMAINNAME>\<username>
>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred):
>> user '<DOMAINNAME>\<username>' OK
>>
>> The pam-auth-update command indicated the following were enabled:
>>
>> Unix authentication
>> Winbind NT/Active Directory authentication
>>
>> Register user sessions in the systemd control group hierarchy
>> Inheritable Capabilities Management
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------
>> *From:* Data Control Systems - Mike Elkevizth [
>> mike at datacontrolsystems.com]
>> *Sent:* Friday, June 10, 2016 10:45 AM
>> *To:* Kaplan, Andrew H.; samba at lists.samba.org
>> *Cc:* Rowland penny
>>
>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>> Hi,
>>
>> I have a feeling that Rowland is correct that all the different
>> authentication methods are interfering with one another. I can say all I
>> have is winbind and it works fine for me. My relevant pam-auth-update
>> modules are:
>>
>> [*] Unix authentication
>> [*] Winbind NT/Active Directory authentication
>> [*] Register user sessions in the systemd control group hierarchy
>> [*] Create home directory on login
>>
>> My relevant excerpt from /etc/nsswitch.conf is:
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>> If your smb.conf file includes the "template shell = /bin/bash" as you
>> indicated earlier, but your getent password is returning /bin/PHSshell
>> instead, I think the information is being returned by a service other than
>> winbind. Depending on how pam is configured, generally the order listed
>> when you run pam-auth-update will be the order in which the services are
>> tried. So the first one listed there is probably the one returning the
>> info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and
>> server) doesn't like the username in the format <username>@<domainname> and
>> this isn't the format that winbind would return the information, at least
>> not by default. For me getent passwd <username>@<domainname> would return
>> the user as <domainname>\<username>. I would try running pam-auth-update
>> and disabling the LDAP and SSSD authentication methods and see if getent
>> passwd returns different info.
>>
>> Your first post looked to me like the authentication was succeeding, but
>> then the shell was wrong and so you were immediately logged out. Like you
>> mentioned in a previous post, the /bin/PHSshell is probably one the issue
>> because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash
>> would fix this, but more than likely, it is a configuration issue that is
>> returning the wrong shell in the first place. Is PHS your netbios domain
>> name? If it is, it's probably the LDAP or SSSD configuration that is
>> retuning the shell using a substitution that isn't set up correctly.
>>
>> Good luck,
>>
>> Mike E.
>>
>> On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <rpenny at samba.org> wrote:
>>
>>> On 10/06/16 13:46, Kaplan, Andrew H. wrote:
>>> > Hello --
>>> >
>>> > The winbind packages that are installed on the server are the
>>> following:
>>> >
>>> > Package
>>> Description
>>> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>> Samba nameservice integration plugins
>>> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows
>>> domain authentication integration plugin
>>> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>> Samba winbind client library
>>> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>> service to resolve user and group information from Windows NT servers
>>> >
>>> > Similarly, the ldap PAM packages are as follows:
>>> >
>>> > Package
>>> Description
>>> > ldap-auth-client 0.5.3
>>> all meta-package for LDAP authentication
>>> > ldap-auth-config 0.5.3 all
>>> Config package for LDAP authentication
>>> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64
>>> OpenLDAP utilities
>>> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64
>>> OpenLDAP libraries
>>> > libldb1 1.1.24-0ubuntu0.14.04.1
>>> amd64 LDAP-like embedded database - shared library
>>> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64
>>> NSS module for using LDAP as a naming service
>>> > libpam-ldap 184-8.5ubuntu3 amd64
>>> Pluggable Authentication Module for LDAP
>>> > sssd-ldap 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- LDAP back end
>>> >
>>> > Finally, the sssd packages are the following:
>>> >
>>> > Package
>>> Description
>>> > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID
>>> mapping library for SSSD
>>> > sssd 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- metapackage
>>> > sssd-ad 1.11.5-1ubuntu3
>>> amd64 System Security Services Daemon -- Active Directory back end
>>> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System
>>> Security Services Daemon -- PAC responder
>>> > sssd-common 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- common files
>>> > sssd-ipa 1.11.5-1ubuntu3
>>> amd64 System Security Services Daemon -- IPA back end
>>> > sssd-krb5 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- Kerberos back end
>>> > sssd-krb5-common 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- Kerberos helpers
>>> > sssd-ldap 1.11.5-1ubuntu3
>>> amd64 System Security Services Daemon -- LDAP back end
>>> > sssd-proxy 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- proxy back end
>>> > sssd-tools 1.11.5-1ubuntu3 amd64
>>> System Security Services Daemon -- tools
>>> >
>>> > Will removing all packages for the first two groups solve this problem?
>>> >
>>> > From: samba [samba-bounces at lists.samba.org] on behalf of Rowland
>>> penny [rpenny at samba.org]
>>> > Sent: Friday, June 10, 2016 8:29 AM
>>> > To: samba at lists.samba.org
>>> > Subject: Re: [Samba] Problem with Active Directory authentication
>>> >
>>> > On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>>> >> Hello --
>>> >>
>>> >> I started a thread on the list that you suggested in your e-mail, and
>>> thank-you for the reference.
>>> >>
>>> >> Also, I checked the auth.log file on the server, and the following
>>> entries were present:
>>> >>
>>> >> I checked the auth.log file, and the following entries were present:
>>> >>
>>> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>> user=<username>@<domainname>
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>> getting password (0x00000388)
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>> pam_get_item returned a password
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>> user=username>@<domainname>
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>> received for user username>@<domainname> 17 (Failure setting user
>>> credentials)
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
>>> secret file /etc/ldap.secret (No such file or directory)
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
>>> Can't contact LDAP server
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
>>> LDAP server...
>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind
>>> Can't contact LDAP server
>>> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for
>>> invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>> >>
>>> >>
>>> >> ________________________________________
>>> >> From: Sumit Bose [sbose at redhat.com]
>>> >> Sent: Friday, June 10, 2016 4:44 AM
>>> >> To: Kaplan, Andrew H.
>>> >> Cc: samba-technical at lists.samba.org; samba at lists.samba.org
>>> >> Subject: Re: Problem with Active Directory authentication
>>> >>
>>> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>> >>> Hello --
>>> >>>
>>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine
>>> on a Vmware appliance. The goal of the installation is to create a Samba
>>> server that utilizes Active Directory authentication. To that end I
>>> utilized the following procedure:
>>> >>>
>>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>>> >
>>> >>>
>>> >>> Afterwards, I referenced the following documentation to confirm that
>>> all configuration files had the appropriate entries:
>>> >>>
>>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>> >> The sssd-users list
>>> >>
>>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/
>>> >> might be more appropriate for your question.
>>> >>
>>> >> As a general comment, the PAM configuration is important here. Please
>>> >> check the system logs which PAM module was consulted during the login
>>> >> attempt and which cause the rejection.
>>> >>
>>> >> HTH
>>> >>
>>> >> bye,
>>> >> Sumit
>>> >>
>>> >>> The problem is the following: I am unable to log into the server
>>> from the console or via SSH using my Active Directory user account. The
>>> syntax that I use when doing an SSH connection is the following:
>>> >>>
>>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>> >>>
>>> >>> The output that was generated is the following:
>>> >>>
>>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> >>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> >>> debug1: Connecting to <fully qualified domain name> [<ip address>]
>>> port 22.
>>> >>> debug1: Connection established.
>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> >>> debug1: Remote protocol version 2.0, remote software version
>>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> >>> debug1: Enabling compatibility mode for protocol 2.0
>>> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> >>> debug1: SSH2_MSG_KEXINIT sent
>>> >>> debug1: SSH2_MSG_KEXINIT received
>>> >>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> >>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> >>> debug1: Server host key: ECDSA
>>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> >>> debug1: Host '<fully qualified domain name>' is known and matches
>>> the ECDSA host key.
>>> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> >>> debug1: ssh_ecdsa_verify: signature correct
>>> >>> debug1: SSH2_MSG_NEWKEYS sent
>>> >>> debug1: expecting SSH2_MSG_NEWKEYS
>>> >>> debug1: SSH2_MSG_NEWKEYS received
>>> >>> debug1: Roaming not allowed by server
>>> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> >>> debug1: Authentications that can continue: publickey,password
>>> >>> debug1: Next authentication method: publickey
>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> >>> debug1: Next authentication method: password
>>> >>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> >>> Connection closed by <ip address>
>>> >>>
>>> >>> Does anyone have thoughts on this?
>>> >>>
>>> >>> Thanks.
>>> >>>
>>> >>>
>>> >>> The information in this e-mail is intended only for the person to
>>> whom it is
>>> >>> addressed. If you believe this e-mail was sent to you in error and
>>> the e-mail
>>> >>> contains patient information, please contact the Partners Compliance
>>> HelpLine at
>>> >>> http://www.partners.org/complianceline . If the e-mail was sent to
>>> you in error
>>> >>> but does not contain patient information, please contact the sender
>>> and properly
>>> >>> dispose of the e-mail.
>>> > As Sumit has said, this should be on the sssd mailing list.
>>> > From your log fragment, it looks like you have the winbind and ldap
>>> PAM
>>> > packages installed, you do not need them.
>>> >
>>> > Rowland
>>> >
>>> >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>
>>> I am not entirely sure, what I can say is that you are using three
>>> different methods of authentication, winbindd, ldap and sssd, surely you
>>> don't need all three ?
>>>
>>> If you decide to use sssd, then ask on their mailing list what sssd
>>> packages you need and what you should remove.
>>> If you decide to use LDAP, then this probably entails using nslcd, find
>>> their mailing list and ask them.
>>> If you decide to use winbindd (the Samba recommended way), then this is
>>> the place to ask and I would suggest you have a look here:
>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
More information about the samba
mailing list