[Samba] Fwd: Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux
?icro MEGAS
micromegas at mail333.com
Mon Oct 20 17:08:52 MDT 2014
Hi,
For several linux server on our network we want to allow the AD domain group called "MYDOM\Domain Admins" to login through ssh with their AD credentials. Our DC1 and DC2 are running on Debian 64bit using Samba 4.1.12/Sernet.
I'm kinda confused, what exactly I need therefore. Do I need to setup a PAM_authentication as explained on that tutorial here? (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication) I tried that. I didn't create the symlink as shown on the tutorial (ln -s /usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I realized that I have a file called "root at membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong). Then I tried to modify the "/etc/pam.d/sshd" according the tutorial, that's how my "/etc/pam.d/sshd" looked like afterwards:
=============================================================================
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
auth sufficient pam_winbind.so use_first_pass
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic noupdate
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
password sufficient pam_winbind.so use_authtok
=============================================================================
As you see, I have just inserted the particular three lines. Then I did "service sernet-samba-winbindd restart && service ssh restart" on that member server, and I also modified "/etc/ssh/sshd_config" and uncommented the line "PasswordAuthentication yes" to be sure I am not missing anything. Then I restarted ssh daemon, too. Unfortunately I cannot login through ssh onto that member server, although I provide the correct credentials for the user. I tried following combinations as login:
username=testuser1, password=test1test1
username=MYDOM\testuser1, password=test1test1
username=MYDOM\\testuser1,password=test1test1
I am sure that the password is correct.
In my thoughts the file I did modify is not the correct filename or maybe I used a wrong order in the lines. Because my /etc/pam.d/sshd looks quite different than that provided in the wiki. In the following I modified "/etc/pam.d/sshd" again to make the changes back. I commented the three lines, so they are not active any more because I think that was the wrong way for my Debian Wheezy 64bit GNU/Linux distribution. Instead, some other files draw my attention ...
I edited "/etc/pam.d/common-account" and added at the end of the file the desired line like this:
[...]
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
Then I edited "/etc/pam.d/common-auth" and added at the end the corresponding line like this:
[...]
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
auth sufficient pam_winbind.so use_first_pass
Then I edited "/etc/pam.d/common-password" and added at the end the corresponding line like this:
[...]
password sufficient pam_winbind.so use_authtok
I restarted "sernet-samba-winbindd" and "ssh" daemon but I still cannot login through SSH with "testuser1" credentials. the file "/var/log/auth.log" outputs following errors, while I try to login through ssh with that testuser1:
Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): getting password (0x00000010)
Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): Could not retrieve user's password
Oct
21 01:04:59 membersrv1 sshd[2915]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.123
user=testuser1
Oct 21 01:05:01 membersrv1 sshd[2915]: Failed password for testuser1 from 192.168.0.123 port 18337 ssh2
Oct 21 01:05:12 membersrv1 sshd[2915]: Connection closed by 192.168.0.123 [preauth]
I want o add, that I can "su - testuser1" correctly on that member server, the user "testuser1" has a valid login shell and the "su - testuser1" login worked fine.
Also "testuser1" is correctly shown by winbind on that memberserver, see output below:
===========================================================================
# getent passwd testuser1
testuser1:*:10003:10000:Test User 1:/home/MYDOM/testuser1:/bin/bash
# id testuser1
uid=10003(testuser1) gid=10000(domain users) groups=10000(domain users),70002(BUILTIN\users)
# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
# kinit testuser1 at MYDOM.EXAMPLE.COM
Password for testuser1 at MYDOM.EXAMPLE.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser1 at MYDOM.EXAMPLE.COM
Valid starting Expires Service principal
21.10.2014 00:18:58 21.10.2014 10:18:58 krbtgt/MYDOM.EXAMPLE.COM at MYDOM.EXAMPLE.COM
renew until 22.10.2014 00:18:56
===========================================================================
So I am sure that the password supplied for testuser1 was correct, because "kinit" did succeed as you can see. Now I am stuck here and I am quite unsure if that's even the correct way?
I did also find that tutorial here (https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH) which is explaining a completely other way. What exactly do I need? PAM_WINBIND authentication or Kerberos, or maybe even both ? Someone else told me also that I should use sssd for that, but I don't think I want to completely build a new configuration for my member server, because my member server was configured with ad backend according the tutorial (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). Please, any help appreciated.
Thanks a lot in advance.
Mirco
More information about the samba
mailing list