[Samba] FreeBSD ssh AD authentication

Thomas Fazekas tfa at missioncriticalit.com
Thu Jun 16 11:41:44 GMT 2005 

After reading the related chapter in the Samba-3 HOWTO document
I've tried to put the AD authentication in place in our network
on two systems and I got stuck in exactly the same place.
Here are the software configs I was using :

Sys 1
FreeBSD 4.11 release
sshd version OpenSSH_3.5p1 FreeBSD-20030924
Samba Version 3.0.10

Sys 2
FreeBSD 5.4-RELEASE FreeBSD amd64
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
Samba Version 3.0.12

I will detail what I did on sys1 (as this one is more urgent  and 
anyway I did the same things on sys2 with exactly the same
outcome)

My /etc/smb.conf
[global]
workgroup = OURDOMAIN
# strangely, it doesn't like the realm setting
#realm = MISSIONCRITICALIT.COM
password server = PASSSWD_SERV_IP
security = ADS
encrypt passwords = yes
server string = My Samba Server

# separate domain and username with '\', like DOMAIN\username
winbind separator = \\
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D%U
template shell = /usr/local/bin/bash


Then I did 
sudo net join -UAdministrator
After providing the right password the answer was :
Joined domain OURDOMAIN.

Then I modified the /usr/compat/linux/etc/nsswitch.conf file
to look like the following :
passwd:     files winbind
shadow:     files
group:      files winbind

After starting winbindd with(-d 3 -i) I can now querry the 
user and groups with :
wbinfo -u
wbinfo -g

Both lists seem to be in concordance with what we got on our W2K PDC.

However if I do 
/usr/compat/linux/usr/bin/getent passwd
I get only the local password file content, nothing related to the domain...
Accordint to the Samba3 HOWTO this should return me info's for users
in the domain...
What am I doing wrong ?

Furthermore I went through this ordeal to allow domain users to authenticate 
with ssh. So I've modified the the /etc/pam.conf file like this (settings for 
ssh) :
sshd    auth    sufficient      pam_skey.so
sshd    auth    sufficient      pam_opie.so                    no_fake_prompts
#this line is added by me
sshd    auth    sufficient      /usr/local/lib/pam_winbind.so 
#sshd   auth    requisite       pam_opieaccess.so
#sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
#sshd   auth    sufficient      pam_krb5.so                     try_first_pass
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    account required        pam_unix.so
#this line is added by me
sshd    account sufficient      /usr/local/lib/pam_winbind.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so

Now when I try to log in as a domain user via ssh the access is refused
and I got this in /var/log/auth.log
sshd[1972]: Illegal user usr1 from 10.10.10.201
sshd[1972]: Failed unknown for illegal user usr1 from 10.10.10.201 port 55268 
ssh2

And I get no outup at all from winbindd, like the sshd wouldn't even bother
to try to authenticate via winbindd...

Can anybody help ?

More information about the samba mailing list