[Samba] ssh + pam_winbind error 'incorrect password or invaid
membership'
jstile
john at stilen.com
Tue May 24 21:42:52 GMT 2005
Everything is working now.
Thank you for all the help!
Don't really know what fixed it, but now it works.
I'm starting to think most problems are fixed by restarting samba and
winbind.
I changed one thing in smb.conf:
From the previous posts:
template homedir = /home/%D/%U
To this:
template homedir = /home/%U
For winbind+pam+sudo this is my /etc/pam.d/sudo
auth sufficient pam_winbind.so
@include common-auth
account sufficient pam_winbind.so
@include common-account
This is my final /etc/pam.d/ssh
auth required pam_listfile.so item=user sense=allow
file=/etc/ssh/pam.sshd onerr=fail
auth sufficient pam_winbind.so
auth required pam_nologin.so
auth required pam_env.so # [1]
@include common-auth
account sufficient pam_winbind.so
@include common-account
session required pam_mkhomedir.so skel=/etc/skel umask=0022
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
@include common-password
On Mon, 2005-05-23 at 20:39 -0700, jstile wrote:
> I got a little farther.
>
> After creating the home directory , /home/MS/johns
> And fixing the path to the default shell,
> I can ssh in with:
> ssh 192.168.60.189 -l MS\+johns
> But not with this:
> ssh 192.168.60.189 -l johns
> My smb.conf definitely has:
> winbind use default domain = Yes
>
> How can I make ssh work with the short user name?
>
> On Fri, 2005-05-20 at 14:27 -0700, jstile wrote:
> > Configuration:
> > Samba 3.0.14a-1 (on debian 3.1) + winbind 3.0.14a-1 + krb5-user 1.3.6-2
> >
> > I need help debugging pam_winbind.so in /etc/pam.d/ssh on debian.
> >
> > Samba is a member of an AD domain, authenticating access to shares via
> > winbind+nsswitch.conf. Authentication to shares works great. Now I
> > want winbind to authenticate ssh users as a pam module and it's failing.
> > Below I show the output of an ssh attempt with the auth.log and winbind
> > (in debug 3). If you see any problems with the configs/logs below, our
> > you need any other confgs/logs, please let me know. Thank you very
> > much.
> >
> > No problem with any of the following tests:
> > smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs.
> > wbinfo -u # Shows winbind is doing lookups from ADS
> > johns
> > wbinfo -g # Shows winbind is doing lookups from ADS
> > getent passwd # Shows nsswitch is correct, to resolve
> > ADSusers.
> > johns:x:10000:10000:John Stile:/home/MS/johns:/usr/local/bin/bash
> > getent group # Shows nsswitch is correct, to resolve ADS
> > groups.
> > net ads info # Show AD info
> > LDAP server: 192.168.50.42
> > LDAP server name: stan
> > Realm: MS.STILEN.COM
> > Bind Path: dc=MS,dc=STILEN,dc=COM
> > LDAP port: 389
> > Server time: Fri, 20 May 2005 21:15:29 GMT
> > KDC server: 192.168.50.42
> > Server time offset: 0
> > net ads join -Ujohns%passwd # Joined the domain
> > net ads testjoin # Shows join is ok
> > wbinfo -a johns%password # Test if winbind can authenticate
> > plaintext password authentication succeeded
> > challenge/response password authentication succeeded
> > kinit johns # Test kerberose authentication
> > Password for johns at MS.STILEN.COM:
> > <ends without any response>
> > smbclient -L localhost -U ms\\johns%password # list shares using
> > passwd
> >
> > Configuration:
> > Samba 3.0.14a-1 (on debian 3.1) + winbind 3.0.14a-1 + krb5-user 1.3.6-2
> >
> > Ran winbind in debug mode during a ssh attempt
> > winbindd -d 3 -i
> > [ 3195]: request interface version
> > [ 3195]: request location of privileged pipe
> > [ 3195]: pam auth johns
> > cm_get_ipc_userpass: No auth-user defined
> > Doing spnego session setup (blob length=105)
> > got OID=1 2 840 48018 1 2 2
> > got OID=1 2 840 113554 1 2 2
> > got OID=1 2 840 113554 1 2 2 3
> > got OID=1 3 6 1 4 1 311 2 2 10
> > got principal=stan$@MS.STILEN.COM
> > Doing kerberos session setup
> > Ticket in ccache[MEMORY:cliconnect] expiration Sat, 21 May 2005 06:58:43 GMT
> > Plain-text authentication for user johns returned NT_STATUS_WRONG_PASSWORD (PAM: 7)
> > ---------------------------------
> > Authlog
> > ==> /var/log/auth.log <==
> > May 20 20:58:31 localhost sshd[3195]: Illegal user johns from ::ffff:192.168.60.161
> > May 20 20:58:43 localhost pam_winbind[3195]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD
> > May 20 20:58:43 localhost pam_winbind[3195]: user `johns' denied access (incorrect password or invalid membership)
> > ---------------------------------
> > Only added the winbind stuff to default debian /etc/pam.d/ssh
> > # PAM configuration for the Secure Shell service
> > auth sufficient pam_winbind.so
> > auth required pam_nologin.so
> > auth required pam_env.so # [1]
> > @include common-auth
> > account sufficient pam_winbind.so
> > @include common-account
> > session required pam_mkhomedir.so skel=/etc/skel umask=0022
> > @include common-session
> > session optional pam_motd.so # [1]
> > session optional pam_mail.so standard noenv # [1]
> > session required pam_limits.so
> > @include common-password
> > ---------------------------------
> > [global]
> > realm = MS.STILEN.COM
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > template homedir = /home/%D/%U
> > template shell = /usr/local/bin/bash
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind nested groups = Yes
> > winbind use default domain = Yes
> > winbind separator = +
> > workgroup = MS
> > security = ADS
> > password server = stan.ms.stilen.com
> > wins support = yes
> > wins server = stan.ms.stilen.com
> > server string = %h server (Samba %v)
> > dns proxy = no
> > ldap ssl = no
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > syslog = 0
> > panic action = /usr/share/samba/panic-action %d
> > encrypt passwords = true
> > passdb backend = tdbsam guest
> > obey pam restrictions = no
> > invalid users = root Debian-exim daemon bin sys adm lp listen noaccess www-data
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
> > load printers = no
> > ---------------------------------
> > /etc/resolv.conf
> > search ms.stilen.com
> > ---------------------------------
> >
>
More information about the samba
mailing list