[Samba] Using winbind authentication with Windows 2003 AD - SSH
login failures
John H Terpstra
jht at PrimaStasys.Com
Fri Nov 5 15:29:42 GMT 2004
Wayne,
Precisely what steps did you take to join the Samba server to the ADS?
- John T.
On Friday 05 November 2004 03:10, Wayne Pascoe wrote:
> Hi all,
>
> I have been trying to setup authentication of users on a Linux server
> against Windows server 2003 using winbind.
>
> I am at the point where an
> su - ADUSERNAME
> works, but sshing as that user still doesn't work.
>
> When I try to ssh as an AD user as follows:
> ssh -l "RILINUX+testuser" server.domain.com
> I get the following output in /var/log/messages:
>
> server pam_winbind[5906]: request failed: No such user, PAM error was
> 10, NT error was NT_STATUS_NO_SUCH_USER
> server sshd(pam_unix)[5906]: check pass; user unknown
> server sshd(pam_unix)[5906]: authentication failure; logname= uid=0
> euid=0 tty=NODEVssh ruser= rhost=server.domain.com
>
> At the same time, I see this Failure Audit in the Security section of
>
> Event viewer on the AD server:
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: NOUSER
> Source Workstation: \\LONLT-SVR9
> Error Code: 0xC0000064
>
> I then changed my setup to use winbid use default domain = yes and
> tried with
> ssh -l testuser server.domain.com
> I got the same result as when using the DOMAIN+user syntax
>
> wbinfo -u shows this test user in the list.
>
> My smb.conf is as follows:
> [global]
> workgroup = MYADDOMAIN
> netbios name = servername
> winbind separator = +
> winbind use default domain = yes
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/bash
>
> security = ads
> encrypt passwords = yes
> realm = MYKERBEROSREALM.COM
> password server = 10.xxx.xxx.xxx
>
> My various pam configs are as follows:
> /etc/pam.d/login
> auth required pam_securetty.so
> auth sufficient pam_winbind.so
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account sufficient pam_winbind.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session optional pam_console.so
>
> /etc/pam.d/sshd
> auth required pam_stack.so service=system-auth
> auth sufficient pam_winbind.so
> auth required pam_nologin.so
> account sufficient pam_winbind.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
> I'm using Red Hat EL AS 3 which I believe tries to centralise most of
> this in system-auth, and this is what I have there:
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_winbind.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
>
> account sufficient /lib/security/$ISA/pam_winbind.so
> account required /lib/security/$ISA/pam_unix.so
>
> password required /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
>
>
> I'm not sure if this is related to my problem, but I see quite a few
> of the following messages in my security section of event viewer:
>
> Pre-authentication failed:
> User Name: servername$
> User ID: MYDOMAIN\servername$
> Service Name: krbtgt/MYKERBEROSREALM.COM
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 10.xxx.xxx.xxx
>
> Can anyone advise how to rectify this problem ?
>
> Thanks in advance,
>
> --
> Wayne Pascoe
--
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list