[Samba] ssh authentication with AD

David Bear dwbear75 at gmail.com
Tue Nov 3 23:17:49 UTC 2015 

This seems to be common thread on the list, but I'm pulling my hair out and
have to ask..

I've been following a couple of guides and using AD to authenticate users
on my linux system. These include the ubuntu guide --
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
- https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
- https://wiki.samba.org/index.php/Libnss_winbind_links

and others...

I'm using ubuntu 14 with the samba 4.1X packages installed.

Our AD is a Windows AD.

I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to
return domain groups, getent passwd to return domain users in passwd form,
 getent group returns domain groups..

I have made certain that libnss-winbind, libpam-cracklib and libpam-winbind
are installed. They all seem to be
ii  libpam-cap:amd64                    1:2.24-0ubuntu2
 amd64        PAM module for implementing capabilities
ii  libpam-cracklib:amd64               1.1.8-1ubuntu2
  amd64        PAM module to enable cracklib support
ii  libpam-modules:amd64                1.1.8-1ubuntu2
  amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin                  1.1.8-1ubuntu2
  amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                      1.1.8-1ubuntu2
  all          Runtime support for the PAM library
rc  libpam-smbpass:amd64                2:4.1.6+dfsg-1ubuntu2.14.04.5
 amd64        pluggable authentication module for Samba
ii  libpam-systemd:amd64                204-5ubuntu20.15
  amd64        system and service manager - PAM module
ii  libpam-winbind:amd64                2:4.1.6+dfsg-1ubuntu2.14.04.9
 amd64        Windows domain authentication integration plugin
ii  libpam0g:amd64                      1.1.8-1ubuntu2
  amd64        Pluggable Authentication Modules library

Trouble is ai still cannot ssh in to this box and authenticate with AD
creds.

Here's the error in the auth.log
Nov  3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229  user=ttt
Nov  3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
condition detected
Nov  3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229
port 59317 ssh2
Nov  3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
condition detected
Nov  3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229
port 59317 ssh2
Nov  3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229
port 59317 ssh2
Nov  3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229 [preauth]
Nov  3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229  user=ttt

Here's my smb.conf
[global]
   netbios name = HAT
   security = ADS
   workgroup = HA
   server string = %h server (Samba, Ubuntu)
   dedicated keytab file =/etc/krb5.keytab
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
#   idmap uid = 10000-20000
#   idmap gid = 10000-20000
   idmap config *:backent = rid
   idmap config *:range = 5000-100000
   template shell = /bin/bash
   winbind allow trusted domains = no
   winbind trusted domains only = no
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind refresh tickets = yes
   template homedir = /home/%U
   template shell = /bin/bash
#   client use spnego = yes
   encrypt passwords = yes

I have successfully created (I think) the keytab file, join the machine to
the AD -- and I can successfully kinit and authenticate as any AD user.

The bummer is that I cannot successfully  login via ssh using a domain
credential.

I think the final bit of machine is the pam files -- since this is ubuntu,
I just modify the common- files so here they are:
common-account
# /etc/pam.d/common-account - authorization settings common to all services
#
account required                        pam_unix.so broken_shadow
account sufficient                      pam_localuser.so
account sufficient                      pam_succeed_if.so  uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth    required                        pam_env.so
auth    sufficient                      pam_unix.so  nullok try_first_pass
auth    requisite                       pam_succeed_if.so uid >=1000
quiet_success
auth    sufficient                      pam_winbind.so user_first_pass
auth    required                        pam_deny.so

# /etc/pam.d/common-password - password-related modules common to all
services
#
password        requisite                       pam_cracklib.so
try_first_pass retry=3 type=
password        sufficient                      pam_unix.so sha512 shadow
nullok try_first_pass use_authtok
password        sufficient                      pam_winbind.so use_authtok
password        required                        pam_deny.so

# /etc/pam.d/common-session - session-related modules common to all services
#
session optional                        pam_keyinit.so revoke
session required                        pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required        pam_unix.so
session optional        pam_systemd.so
# end of pam-auth-update config

ssh fails --
If I try to su - ADuser I get a message
Error in service module..

I'm thinking the error must be in pam -- but need some advice.






-- 
David Bear
mobile: (602) 903-6476

More information about the samba mailing list