[Samba] FW: Questions about Samba 4

L.P.H. van Belle belle at bazuin.nl
Fri Aug 28 12:53:49 UTC 2015


if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy
for sshd includes pam_unix, password authentication will be allowed through 
the challenge-response mechanism regardless of the value of PasswordAuthentication.

start reading as of : Details on PAM Authentication 

but a good find, maybe Volker can use this info also. 




>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: vrijdag 28 augustus 2015 14:39
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] FW: Questions about Samba 4
>On 28/08/15 11:48, Volker Lendecke wrote:
>> On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:
>>> This was a test on debian Jessie with sernet samba 4.2.3.
>>> and the test was, "login" with a AD user on ssh.
>>> this worked, fine, but this i noticed later.
>> Currently recompiling with the attached patch. I haven't
>> tested it yet, but I am pretty sure this will fix the issue.
>> For everyone interested, the comment should be pretty
>> self-explaining.
>> Volker
>OK, after reading Volkers patch, I got the feeling that the problem 
>wasn't actually a samba problem, so I went googling.
>If I change these lines in /etc/ssh/sshd_config:
>ChallengeResponseAuthentication no
>#PasswordAuthentication yes
>ChallengeResponseAuthentication yes
>PasswordAuthentication yes
>restart ssh: 'service ssh restart' on Debian wheezy
>Now try and login via ssh:
>root at dc01:~# ssh user3 at
>Password expired.  You must change it now.
>Enter new password:
>Enter it again:
>Warning: Your password will expire in 42 days on Fri Oct  9 
>13:30:25 2015
>Linux debclient 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64
>The programs included with the Debian GNU/Linux system are 
>free software;
>the exact distribution terms for each program are described in the
>individual files in /usr/share/doc/*/copyright.
>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>permitted by applicable law.
>Last login: Fri Aug 28 13:23:32 2015 from dc01.example.com
>user3 at debclient:~$
>No spinning winbind PID
>Have I found the cure ?
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list