[Samba] ssh authentication with AD

L.P.H. van Belle belle at bazuin.nl
Wed Nov 4 07:52:00 UTC 2015 

Ok, do the following. 

Remove all you modifications from pam so its back to original. 

apt-get install krb5-ssh 
restart ssh, try again. 
Still not working?

Now try correct pam. 
Type : pam-auth-update 
Select kerberos winbind and unix ( and keep other defaults as is ) 

Type id username 
You see a correct shell and correct and existing homedir? 
Not, you missed the setting in windows, or set them in you smb.conf

Now try again to login.


Greets, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Bear
> Verzonden: woensdag 4 november 2015 0:18
> Aan: samba
> Onderwerp: [Samba] ssh authentication with AD
> 
> This seems to be common thread on the list, but I'm pulling my hair out
> and
> have to ask..
> 
> I've been following a couple of guides and using AD to authenticate users
> on my linux system. These include the ubuntu guide --
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
> - https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> - https://wiki.samba.org/index.php/Libnss_winbind_links
> 
> and others...
> 
> I'm using ubuntu 14 with the samba 4.1X packages installed.
> 
> Our AD is a Windows AD.
> 
> I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to
> return domain groups, getent passwd to return domain users in passwd form,
>  getent group returns domain groups..
> 
> I have made certain that libnss-winbind, libpam-cracklib and libpam-
> winbind
> are installed. They all seem to be
> ii  libpam-cap:amd64                    1:2.24-0ubuntu2
>  amd64        PAM module for implementing capabilities
> ii  libpam-cracklib:amd64               1.1.8-1ubuntu2
>   amd64        PAM module to enable cracklib support
> ii  libpam-modules:amd64                1.1.8-1ubuntu2
>   amd64        Pluggable Authentication Modules for PAM
> ii  libpam-modules-bin                  1.1.8-1ubuntu2
>   amd64        Pluggable Authentication Modules for PAM - helper binaries
> ii  libpam-runtime                      1.1.8-1ubuntu2
>   all          Runtime support for the PAM library
> rc  libpam-smbpass:amd64                2:4.1.6+dfsg-1ubuntu2.14.04.5
>  amd64        pluggable authentication module for Samba
> ii  libpam-systemd:amd64                204-5ubuntu20.15
>   amd64        system and service manager - PAM module
> ii  libpam-winbind:amd64                2:4.1.6+dfsg-1ubuntu2.14.04.9
>  amd64        Windows domain authentication integration plugin
> ii  libpam0g:amd64                      1.1.8-1ubuntu2
>   amd64        Pluggable Authentication Modules library
> 
> Trouble is ai still cannot ssh in to this box and authenticate with AD
> creds.
> 
> Here's the error in the auth.log
> Nov  3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229  user=ttt
> Nov  3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
> condition detected
> Nov  3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229
> port 59317 ssh2
> Nov  3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
> condition detected
> Nov  3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229
> port 59317 ssh2
> Nov  3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229
> port 59317 ssh2
> Nov  3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229
> [preauth]
> Nov  3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229  user=ttt
> 
> Here's my smb.conf
> [global]
>    netbios name = HAT
>    security = ADS
>    workgroup = HA
>    server string = %h server (Samba, Ubuntu)
>    dedicated keytab file =/etc/krb5.keytab
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
> #   idmap uid = 10000-20000
> #   idmap gid = 10000-20000
>    idmap config *:backent = rid
>    idmap config *:range = 5000-100000
>    template shell = /bin/bash
>    winbind allow trusted domains = no
>    winbind trusted domains only = no
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind use default domain = yes
>    winbind refresh tickets = yes
>    template homedir = /home/%U
>    template shell = /bin/bash
> #   client use spnego = yes
>    encrypt passwords = yes
> 
> I have successfully created (I think) the keytab file, join the machine to
> the AD -- and I can successfully kinit and authenticate as any AD user.
> 
> The bummer is that I cannot successfully  login via ssh using a domain
> credential.
> 
> I think the final bit of machine is the pam files -- since this is ubuntu,
> I just modify the common- files so here they are:
> common-account
> # /etc/pam.d/common-account - authorization settings common to all
> services
> #
> account required                        pam_unix.so broken_shadow
> account sufficient                      pam_localuser.so
> account sufficient                      pam_succeed_if.so  uid < 1000
> quiet
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> common-auth
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> auth    required                        pam_env.so
> auth    sufficient                      pam_unix.so  nullok try_first_pass
> auth    requisite                       pam_succeed_if.so uid >=1000
> quiet_success
> auth    sufficient                      pam_winbind.so user_first_pass
> auth    required                        pam_deny.so
> 
> # /etc/pam.d/common-password - password-related modules common to all
> services
> #
> password        requisite                       pam_cracklib.so
> try_first_pass retry=3 type=
> password        sufficient                      pam_unix.so sha512 shadow
> nullok try_first_pass use_authtok
> password        sufficient                      pam_winbind.so use_authtok
> password        required                        pam_deny.so
> 
> # /etc/pam.d/common-session - session-related modules common to all
> services
> #
> session optional                        pam_keyinit.so revoke
> session required                        pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet
> use_uid
> session required        pam_unix.so
> session optional        pam_systemd.so
> # end of pam-auth-update config
> 
> ssh fails --
> If I try to su - ADuser I get a message
> Error in service module..
> 
> I'm thinking the error must be in pam -- but need some advice.
> 
> 
> 
> 
> 
> 
> --
> David Bear
> mobile: (602) 903-6476
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list