[Samba] Unable to ssh to dc

Rob Campbell robcampbell08105 at gmail.com
Tue Jun 13 18:08:42 UTC 2023 

>
> Before we get really involved here, can we just check it isn't something
> easy.
> By default a Samba AD DC has this default line (it is there, even if it
> doesn't show in your smb.conf):
>
> template shell = /bin/false
>
> With that, you cannot logon as a domain user
>
> So you need to set something like:
>
> template shell = /bin/bash
>

Prior to my last email, it didn't have a template shell variable at all so
I added
template shell = /bin/bash
template homedir = /home/%U

I then restarted samba and I was still unable to ssh in. I then added the
two packages and I was able to getent passwd newtestuser but still unable
to ssh in.  I can ssh in with a local user account but I think I mentioned
that already.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Jun 13, 2023 at 1:01 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

>
>
> On 13/06/2023 17:23, Rob Campbell via samba wrote:
> > Correction/Clarification. I'm now able to do the getent passwd
> newtestuser
> > but I am still unable to ssh.
> >
> > Jun 13 12:22:23 DC01 sshd[3369330]: pam_winbind(sshd:auth): getting
> > password (0x00000388)
> > Jun 13 12:22:23 DC01 sshd[3369330]: pam_winbind(sshd:auth): pam_get_item
> > returned a password
> > Jun 13 12:22:23 DC01 sshd[3369330]: pam_winbind(sshd:auth): request
> > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL
> > (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon
> > servers are currently available to service the logon request.
> > Jun 13 12:22:23 DC01 sshd[3369330]: pam_winbind(sshd:auth): internal
> module
> > error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'newtestuser')
> > Jun 13 12:22:25 DC01 sshd[3369330]: Failed password for newtestuser from
> > 2600:4040:4661:9a00:53e6:7b0d:537e:c233 port 37170 ssh2
> > Jun 13 12:22:25 DC01 sshd[3369330]: Connection closed by authenticating
> > user newtestuser 2600:4040:4661:9a00:53e6:7b0d:537e:c233 port 37170
> > [preauth]
> > Jun 13 12:22:25 DC01 sshd[3369330]: PAM 2 more authentication failures;
> > logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=2600:4040:4661:9a00:53e6:7b0d:537e:c233  user=newtestuser
> >
>
> Before we get really involved here, can we just check it isn't something
> easy.
> By default a Samba AD DC has this default line (it is there, even if it
> doesn't show in your smb.conf):
>
> template shell = /bin/false
>
> With that, you cannot logon as a domain user
>
> So you need to set something like:
>
> template shell = /bin/bash
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list