[Samba] OpenSSH auth in SAMBA4 LDAP

Marc Muehlfeld samba at marc-muehlfeld.de
Mon Aug 26 11:09:16 MDT 2013 

Am 26.08.2013 16:11, schrieb Bruno Vane:
> Marc, sorry to bother you with this, but I can not access a SSH server
> using these settings.
> Could you take a look if you have time to find out if my settings are wrong?
>
> When I do a "ssh -l nslcd-connect" (or any other user) to the server, i
> got this in /var/log/auth.log:
>
> Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE
> Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user
> nslcd-connect [preauth]
> Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user
> unknown
> Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server...
> Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user
> nslcd-connect from MY_MACHINE port 51004 ssh2
> Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]

You don't connect with the "nslcd-connect" account via ssh to the 
server. Each user connect with his/her domain account.

You need this account (nslcd-connect) in your AD, to allow nslcd to 
connect to your directory (you can give it any name you want, of 
course), because Samba/AD doesn't allow anonymous bind.

This are the steps you do:
- Create a new account (i named it nslcd-connect) in your AD
- Put the accounts DN + password in your nslcd.conf
- Restart nslcd.conf
- Add "ldap" to the following three lines in your /etc/nsswitch.conf 
(sorry. I forgot this in my previous post):
   passwd:     files ldap
   shadow:     files ldap
   group:      files ldap
- Now you should be able to see all accounts (the local and domain 
accounts), when you type
   # getent passwd
- If you don't see the domain accounts, add "acl:search = no" to the 
[global] section of your smb.conf and restart Samba. (Workaround for bug 
#9788)
- If there's nothing else preventing (missing home, missing keyfile, 
etc), you should be able now, to login via ssh by
   # ssh -l {domainusername} {entryservername}
   The domainusername is the attribute that is mapped in nslcd.conf to 
uid (If you use my nslcd.conf example, the domainusername is what stand 
in the AD attribute sAMAccountName).






> ============> This is my samba4 server LDAP test:
> root at samba:~# ldapsearch -U nslcd-connect -h localhost -b
> DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedName

If you let ldapseach search for all attributes mentioned in nslcd.conf 
(sAMAccountName, unixHomeDirectory, etc.) and you don't get result for 
all of them, you need the workaround for bug #9788 (see above) or these 
attributes are not filled in AD.




I'm currently still working on a HowTo about sssd, nslcd and winbind, 
which would contain this all in a much more detailed depth. But I had to 
less time at the moment to finish it yet. Maybe next week it will be 
done and published in the Wiki.



Regards,
Marc

More information about the samba mailing list