[Samba] Using winbind authentication with Windows 2003 AD - SSH
login failures
Wayne Pascoe
lists-june2004 at penguinpowered.org
Fri Nov 5 10:10:54 GMT 2004
Hi all,
I have been trying to setup authentication of users on a Linux server
against Windows server 2003 using winbind.
I am at the point where an
su - ADUSERNAME
works, but sshing as that user still doesn't work.
When I try to ssh as an AD user as follows:
ssh -l "RILINUX+testuser" server.domain.com
I get the following output in /var/log/messages:
server pam_winbind[5906]: request failed: No such user, PAM error was
10, NT error was NT_STATUS_NO_SUCH_USER
server sshd(pam_unix)[5906]: check pass; user unknown
server sshd(pam_unix)[5906]: authentication failure; logname= uid=0
euid=0 tty=NODEVssh ruser= rhost=server.domain.com
At the same time, I see this Failure Audit in the Security section of
Event viewer on the AD server:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: NOUSER
Source Workstation: \\LONLT-SVR9
Error Code: 0xC0000064
I then changed my setup to use winbid use default domain = yes and
tried with
ssh -l testuser server.domain.com
I got the same result as when using the DOMAIN+user syntax
wbinfo -u shows this test user in the list.
My smb.conf is as follows:
[global]
workgroup = MYADDOMAIN
netbios name = servername
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
security = ads
encrypt passwords = yes
realm = MYKERBEROSREALM.COM
password server = 10.xxx.xxx.xxx
My various pam configs are as follows:
/etc/pam.d/login
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/pam.d/sshd
auth required pam_stack.so service=system-auth
auth sufficient pam_winbind.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
I'm using Red Hat EL AS 3 which I believe tries to centralise most of
this in system-auth, and this is what I have there:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
I'm not sure if this is related to my problem, but I see quite a few
of the following messages in my security section of event viewer:
Pre-authentication failed:
User Name: servername$
User ID: MYDOMAIN\servername$
Service Name: krbtgt/MYKERBEROSREALM.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.xxx.xxx.xxx
Can anyone advise how to rectify this problem ?
Thanks in advance,
--
Wayne Pascoe
More information about the samba
mailing list