[Samba] Winbindd and SSH (just disconnects after login)

Buchan Milne bgmilne at cae.co.za
Tue Nov 25 12:20:15 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Message: 7
> Date: Fri, 21 Nov 2003 09:06:50 -0600
> From: "sambalists" <sambalists at rineco.com>
> Subject: [Samba] Winbindd and SSH (just disconnects after login)
> To: <samba at lists.samba.org>
> Message-ID: <001001c3b041$17732210$b1c5f6c6 at tjbxp>
> Content-Type: text/plain;	charset="iso-8859-1"
>
> It looks like I've gotten the majority of things working in regards to
> Winbind.  Users are being authenticated by the NT4 PDC when connecting to
> shares, but I can't seem to get things set up correctly to allow
logging in
> via SSH(OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f).  It
> appears as though I'm successfully authenticated by the PDC, but then the
> connection is immediately closed.
>
> (I'm running Mandrake Linux v9.2 and Samba Version 3.0.1pre3.)
>
> [testuser at linuxsmb testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb
> TESTDOM.COM\testuser at linuxsmb's password:
> Last login: Fri Nov 21 08:40:09 2003 from linuxsmb.TESTDOM.COM
> Connection to linuxsmb closed.
> [testuser at linuxsmb testuser]$ ssh -lTESTDOM.COM\\testuser linuxsmb
> TESTDOM.COM\testuser at linuxsmb's password:
> Last login: Fri Nov 21 08:40:44 2003 from linuxsmb.TESTDOM.COM
> Connection to linuxsmb closed.
> Here you can see by the "Last Login:" that is displayed, that I am being
> authenticated when I try connecting via ssh 2 times back to back:
>
> Here's a smbclient session being authenticated via the NT PDC:
> [testuser at linuxsmb testuser]$ smbclient
> //linuxsmb/testuser -UTESTDOM.COM\\testuser -c 'ls *.txt'
> Password:
>
>   SSD55287.txt                             41401  Fri Nov  7 04:36:57 2003
>   New Text Document.txt               A        0  Thu Nov 20 15:08:26 2003
>
>                 64860 blocks of size 32768. 63759 blocks available
>
> So it appears that things are working ??
>
> When I try connecting via SSH, no dice.  *sigh*
>
> Here's a snippet from my /var/log/auth.log
> Nov 21 08:34:52 linuxsmb pam_winbind[2842]: request failed: Wrong
Password,
> PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
> Nov 21 08:34:52 linuxsmb pam_winbind[2842]: user `TESTDOM.COM\testuser'
> denied access (incorrect password)
> Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: check pass; user unknown
> Nov 21 08:34:52 linuxsmb sshd(pam_unix)[2842]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=linuxsmb.TESTDOM.COM
> Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser'
> granted acces
> Nov 21 08:34:57 linuxsmb pam_winbind[2842]: user 'TESTDOM.COM\testuser'
> granted acces
> Nov 21 08:34:57 linuxsmb sshd[2842]: Accepted password for
> TESTDOM.COM\\testuser from 198.246.197.240 port 32810 ssh2
>
> /etc/pam.d/sshd
> auth       required     pam_nologin.so
> auth       sufficient   pam_winbind.so
> auth       required     pam_unix.so use_first_pass shadow

Change this line to "try_first_pass".

> auth       required     pam_env.so # [1]
>
> account    sufficient   pam_winbind.so
> account    required     pam_unix.so use_first_pass

You might need "try_first_pass" here too.

>
> session    sufficient   pam_mkhomedir.so skel=/etc/skel umask=0022
> session    required     pam_unix.so
> session    optional     pam_lastlog.so # [1]
> session    optional     pam_motd.so # [1]
> session    optional     pam_mail.so standard noenv # [1]
> session    required     pam_limits.so
>
> password   required     pam_unix.so
>
> What am I missing here or doing wrong?  Not sure if any other settings are
> relevant, and hate blasting the list with a bunch of useless/unwanted
text.

openssh's approach to solving the longer delay for a valid user account
(account discovery bug) was to give a pam authentication failure first
for any connection (as I understand this). So, your "use_first_pass" is
getting a bad password, and you aren't allowing it to prompt for a 2nd
attempt.

BTW, you don't see this with public key authentication ... so the
default /etc/pam.d/system-auth is broken for ssh too if you use drakauth
to setup winbind :-(.

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/w0j+rJK6UGDSBKcRAthMAJ4/eA659ONifoMt1Fh5DTk8+WXIIQCeLL1R
WiHMdIr4PIvrXEMno3XfYaM=
=aJGl
-----END PGP SIGNATURE-----

More information about the samba mailing list