[Samba] ssh authentication with AD
David Bear
dwbear75 at gmail.com
Tue Nov 3 23:17:49 UTC 2015
This seems to be common thread on the list, but I'm pulling my hair out and
have to ask..
I've been following a couple of guides and using AD to authenticate users
on my linux system. These include the ubuntu guide --
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
- https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
- https://wiki.samba.org/index.php/Libnss_winbind_links
and others...
I'm using ubuntu 14 with the samba 4.1X packages installed.
Our AD is a Windows AD.
I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to
return domain groups, getent passwd to return domain users in passwd form,
getent group returns domain groups..
I have made certain that libnss-winbind, libpam-cracklib and libpam-winbind
are installed. They all seem to be
ii libpam-cap:amd64 1:2.24-0ubuntu2
amd64 PAM module for implementing capabilities
ii libpam-cracklib:amd64 1.1.8-1ubuntu2
amd64 PAM module to enable cracklib support
ii libpam-modules:amd64 1.1.8-1ubuntu2
amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-1ubuntu2
amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-1ubuntu2
all Runtime support for the PAM library
rc libpam-smbpass:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.5
amd64 pluggable authentication module for Samba
ii libpam-systemd:amd64 204-5ubuntu20.15
amd64 system and service manager - PAM module
ii libpam-winbind:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.9
amd64 Windows domain authentication integration plugin
ii libpam0g:amd64 1.1.8-1ubuntu2
amd64 Pluggable Authentication Modules library
Trouble is ai still cannot ssh in to this box and authenticate with AD
creds.
Here's the error in the auth.log
Nov 3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt
Nov 3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
condition detected
Nov 3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229
port 59317 ssh2
Nov 3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
condition detected
Nov 3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229
port 59317 ssh2
Nov 3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229
port 59317 ssh2
Nov 3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229 [preauth]
Nov 3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt
Here's my smb.conf
[global]
netbios name = HAT
security = ADS
workgroup = HA
server string = %h server (Samba, Ubuntu)
dedicated keytab file =/etc/krb5.keytab
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
# idmap uid = 10000-20000
# idmap gid = 10000-20000
idmap config *:backent = rid
idmap config *:range = 5000-100000
template shell = /bin/bash
winbind allow trusted domains = no
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
template homedir = /home/%U
template shell = /bin/bash
# client use spnego = yes
encrypt passwords = yes
I have successfully created (I think) the keytab file, join the machine to
the AD -- and I can successfully kinit and authenticate as any AD user.
The bummer is that I cannot successfully login via ssh using a domain
credential.
I think the final bit of machine is the pam files -- since this is ubuntu,
I just modify the common- files so here they are:
common-account
# /etc/pam.d/common-account - authorization settings common to all services
#
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
common-auth
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >=1000
quiet_success
auth sufficient pam_winbind.so user_first_pass
auth required pam_deny.so
# /etc/pam.d/common-password - password-related modules common to all
services
#
password requisite pam_cracklib.so
try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow
nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
# /etc/pam.d/common-session - session-related modules common to all services
#
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_systemd.so
# end of pam-auth-update config
ssh fails --
If I try to su - ADuser I get a message
Error in service module..
I'm thinking the error must be in pam -- but need some advice.
--
David Bear
mobile: (602) 903-6476
More information about the samba
mailing list