[Samba] Fwd: Allow Samba4/AD group "MY­DOM\Domain Admins" to log­in through SSH on linux

?icro MEGAS micromegas at mail333.com
Mon Oct 20 17:08:52 MDT 2014


For several linux server on our network we want to allow the AD domain group called "MYDOM\Domain Admins" to login through ssh with their AD credentials. Our DC1 and DC2 are running on Debian 64bit using Samba 4.1.12/Sernet.

I'm kinda confused, what exactly I need therefore. Do I need to setup a PAM_authentication as explained on that tutorial here? (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication) I tried that. I didn't create the symlink as shown on the tutorial (ln -s /usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I realized that I have a file called "root at membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong). Then I tried to modify the "/etc/pam.d/sshd" according the tutorial, that's how my "/etc/pam.d/sshd" looked like afterwards:
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale
auth        sufficient    pam_winbind.so use_first_pass
# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
password    sufficient    pam_winbind.so use_authtok

As you see, I have just inserted the particular three lines. Then I did "service sernet-samba-winbindd restart && service ssh restart" on that member server, and I also modified "/etc/ssh/sshd_config" and uncommented the line "PasswordAuthentication yes" to be sure I am not missing anything. Then I restarted ssh daemon, too. Unfortunately I cannot login through ssh onto that member server, although I provide the correct credentials for the user. I tried following combinations as login:

username=testuser1, password=test1test1
username=MYDOM\testuser1, password=test1test1

I am sure that the password is correct.

In my thoughts the file I did modify is not the correct filename or maybe I used a wrong order in the lines. Because my /etc/pam.d/sshd looks quite different than that provided in the wiki. In the following I modified "/etc/pam.d/sshd" again to make the changes back. I commented the three lines, so they are not active any more because I think that was the wrong way for my Debian Wheezy 64bit GNU/Linux distribution. Instead, some other files draw my attention ...

I edited "/etc/pam.d/common-account" and added at the end of the file the desired line like this:
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
account [default=bad success=ok user_unknown=ignore] pam_winbind.so

Then I edited "/etc/pam.d/common-auth" and added at the end the corresponding line like this:
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth    sufficient                      pam_winbind.so use_first_pass

Then I edited "/etc/pam.d/common-password" and added at the end the corresponding line like this:
password        sufficient                      pam_winbind.so use_authtok

I restarted "sernet-samba-winbindd" and "ssh" daemon but I still cannot login through SSH with "testuser1" credentials. the file "/var/log/auth.log" outputs following errors, while I try to login through ssh with that testuser1:
Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): getting password (0x00000010)
Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): Could not retrieve user's password
 21 01:04:59 membersrv1 sshd[2915]: pam_unix(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  
Oct 21 01:05:01 membersrv1 sshd[2915]: Failed password for testuser1 from port 18337 ssh2
Oct 21 01:05:12 membersrv1 sshd[2915]: Connection closed by [preauth]

I want o add, that I can "su - testuser1" correctly on that member server, the user "testuser1" has a valid login shell and the "su - testuser1" login worked fine.
Also "testuser1" is correctly shown by winbind on that memberserver, see output below:
# getent passwd testuser1
testuser1:*:10003:10000:Test User 1:/home/MYDOM/testuser1:/bin/bash

# id testuser1
uid=10003(testuser1) gid=10000(domain users) groups=10000(domain users),70002(BUILTIN\users)

# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

# kinit testuser1 at MYDOM.EXAMPLE.COM
Password for testuser1 at MYDOM.EXAMPLE.COM:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1 at MYDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
21.10.2014 00:18:58  21.10.2014 10:18:58  krbtgt/MYDOM.EXAMPLE.COM at MYDOM.EXAMPLE.COM
        renew until 22.10.2014 00:18:56

So I am sure that the password supplied for testuser1 was correct, because "kinit" did succeed as you can see. Now I am stuck here and I am quite unsure if that's even the correct way?
I did also find that tutorial here (https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH) which is explaining a completely other way. What exactly do I need? PAM_WINBIND authentication or Kerberos, or maybe even both ? Someone else told me also that I should use sssd for that, but I don't think I want to completely build a new configuration for my member server, because my member server was configured with ad backend according the tutorial (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). Please, any help appreciated.

Thanks a lot in advance.


More information about the samba mailing list