[Samba] FreeBSD ssh AD authentication

Thomas Fazekas tfa at missioncriticalit.com
Thu Jun 16 12:31:42 GMT 2005


One step closer...
Indeed I found a configuration parameter in sshd_conf
like this 

# Change to no to disable PAM authentication
# ChallengeResponseAuthentication yes

which I uncommnted and restarted sshd and winbind
But the result is the same ...
I've tried to log as a domain user even from the console
(so avoiding ssh) and the result (access denied) is the same.
My pam.conf for console login :

login   auth    sufficient      pam_skey.so
login   auth    sufficient      pam_opie.so                     
no_fake_prompts
#this line is added
login   auth    sufficient      /usr/local/lib/pam_winbind.so
#login  auth    requisite       pam_opieaccess.so
login   auth    requisite       pam_cleartext_pass_ok.so
#login  auth    sufficient      pam_kerberosIV.so               try_first_pass
#login  auth    sufficient      pam_krb5.so                     try_first_pass
login   auth    required        pam_unix.so                     try_first_pass
login   account required        pam_unix.so
#this line is added
login   account sufficient      /usr/local/lib/pam_winbind.so
login   password required       pam_permit.so
login   session required        pam_permit.so


Thomas

On Thursday 16 June 2005 14:12, you wrote:
> I don't know Freebsd but on Suse there is a line in /etc/ssh/sshd_config
> that says "UsePAM yes"  which has to be uncommented. Also make sure to
> restart sshd and winbind.
>
> romeo
>
> On Thu, 2005-06-16 at 13:41 +0200, Thomas Fazekas wrote:
> > After reading the related chapter in the Samba-3 HOWTO document
> > I've tried to put the AD authentication in place in our network
> > on two systems and I got stuck in exactly the same place.
> > Here are the software configs I was using :
> >
> > Sys 1
> > FreeBSD 4.11 release
> > sshd version OpenSSH_3.5p1 FreeBSD-20030924
> > Samba Version 3.0.10
> >
> > Sys 2
> > FreeBSD 5.4-RELEASE FreeBSD amd64
> > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
> > Samba Version 3.0.12
> >
> > I will detail what I did on sys1 (as this one is more urgent  and
> > anyway I did the same things on sys2 with exactly the same
> > outcome)
> >
> > My /etc/smb.conf
> > [global]
> > workgroup = OURDOMAIN
> > # strangely, it doesn't like the realm setting
> > #realm = MISSIONCRITICALIT.COM
> > password server = PASSSWD_SERV_IP
> > security = ADS
> > encrypt passwords = yes
> > server string = My Samba Server
> >
> > # separate domain and username with '\', like DOMAIN\username
> > winbind separator = \\
> > # use uids from 10000 to 20000 for domain users
> > idmap uid = 10000-20000
> > # use gids from 10000 to 20000 for domain groups
> > idmap gid = 10000-20000
> > # allow enumeration of winbind users and groups
> > winbind enum users = yes
> > winbind enum groups = yes
> > # give winbind users a real shell (only needed if they have telnet
> > access) template homedir = /home/winnt/%D%U
> > template shell = /usr/local/bin/bash
> >
> >
> > Then I did
> > sudo net join -UAdministrator
> > After providing the right password the answer was :
> > Joined domain OURDOMAIN.
> >
> > Then I modified the /usr/compat/linux/etc/nsswitch.conf file
> > to look like the following :
> > passwd:     files winbind
> > shadow:     files
> > group:      files winbind
> >
> > After starting winbindd with(-d 3 -i) I can now querry the
> > user and groups with :
> > wbinfo -u
> > wbinfo -g
> >
> > Both lists seem to be in concordance with what we got on our W2K PDC.
> >
> > However if I do
> > /usr/compat/linux/usr/bin/getent passwd
> > I get only the local password file content, nothing related to the
> > domain... Accordint to the Samba3 HOWTO this should return me info's for
> > users in the domain...
> > What am I doing wrong ?
> >
> > Furthermore I went through this ordeal to allow domain users to
> > authenticate with ssh. So I've modified the the /etc/pam.conf file like
> > this (settings for ssh) :
> > sshd    auth    sufficient      pam_skey.so
> > sshd    auth    sufficient      pam_opie.so                   
> > no_fake_prompts #this line is added by me
> > sshd    auth    sufficient      /usr/local/lib/pam_winbind.so
> > #sshd   auth    requisite       pam_opieaccess.so
> > #sshd   auth    sufficient      pam_kerberosIV.so              
> > try_first_pass #sshd   auth    sufficient      pam_krb5.so               
> >      try_first_pass sshd    auth    required        pam_unix.so          
> >           try_first_pass sshd    account required        pam_unix.so
> > #this line is added by me
> > sshd    account sufficient      /usr/local/lib/pam_winbind.so
> > sshd    password required       pam_permit.so
> > sshd    session required        pam_permit.so
> >
> > Now when I try to log in as a domain user via ssh the access is refused
> > and I got this in /var/log/auth.log
> > sshd[1972]: Illegal user usr1 from 10.10.10.201
> > sshd[1972]: Failed unknown for illegal user usr1 from 10.10.10.201 port
> > 55268 ssh2
> >
> > And I get no outup at all from winbindd, like the sshd wouldn't even
> > bother to try to authenticate via winbindd...
> >
> > Can anybody help ?


More information about the samba mailing list