[Samba] ssh authentication with AD
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Nov 4 09:29:00 UTC 2015
On 03/11/15 23:17, David Bear wrote:
> This seems to be common thread on the list, but I'm pulling my hair out and
> have to ask..
>
> I've been following a couple of guides and using AD to authenticate users
> on my linux system. These include the ubuntu guide --
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
> - https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> - https://wiki.samba.org/index.php/Libnss_winbind_links
>
> and others...
>
> I'm using ubuntu 14 with the samba 4.1X packages installed.
>
> Our AD is a Windows AD.
>
> I have succeeded in getting wbinfo -u to return domain users, wbinfo -g to
> return domain groups, getent passwd to return domain users in passwd form,
> getent group returns domain groups..
>
> I have made certain that libnss-winbind, libpam-cracklib and libpam-winbind
> are installed. They all seem to be
> ii libpam-cap:amd64 1:2.24-0ubuntu2
> amd64 PAM module for implementing capabilities
> ii libpam-cracklib:amd64 1.1.8-1ubuntu2
> amd64 PAM module to enable cracklib support
> ii libpam-modules:amd64 1.1.8-1ubuntu2
> amd64 Pluggable Authentication Modules for PAM
> ii libpam-modules-bin 1.1.8-1ubuntu2
> amd64 Pluggable Authentication Modules for PAM - helper binaries
> ii libpam-runtime 1.1.8-1ubuntu2
> all Runtime support for the PAM library
> rc libpam-smbpass:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.5
> amd64 pluggable authentication module for Samba
> ii libpam-systemd:amd64 204-5ubuntu20.15
> amd64 system and service manager - PAM module
> ii libpam-winbind:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.9
> amd64 Windows domain authentication integration plugin
> ii libpam0g:amd64 1.1.8-1ubuntu2
> amd64 Pluggable Authentication Modules library
>
> Trouble is ai still cannot ssh in to this box and authenticate with AD
> creds.
>
> Here's the error in the auth.log
> Nov 3 15:49:18 hat sshd[14389]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt
> Nov 3 15:49:18 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
> condition detected
> Nov 3 15:49:19 hat sshd[14389]: Failed password for ttt from 10.1.10.229
> port 59317 ssh2
> Nov 3 15:49:46 hat sshd[14389]: pam_succeed_if(sshd:auth): incomplete
> condition detected
> Nov 3 15:49:48 hat sshd[14389]: Failed password for ttt from 10.1.10.229
> port 59317 ssh2
> Nov 3 15:49:50 hat sshd[14389]: Failed password for ttt from 10.1.10.229
> port 59317 ssh2
> Nov 3 15:49:50 hat sshd[14389]: Connection closed by 10.1.10.229 [preauth]
> Nov 3 15:49:50 hat sshd[14389]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.10.229 user=ttt
>
> Here's my smb.conf
> [global]
> netbios name = HAT
> security = ADS
> workgroup = HA
> server string = %h server (Samba, Ubuntu)
> dedicated keytab file =/etc/krb5.keytab
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> # idmap uid = 10000-20000
> # idmap gid = 10000-20000
> idmap config *:backent = rid
> idmap config *:range = 5000-100000
> template shell = /bin/bash
> winbind allow trusted domains = no
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> template homedir = /home/%U
> template shell = /bin/bash
> # client use spnego = yes
> encrypt passwords = yes
>
> I have successfully created (I think) the keytab file, join the machine to
> the AD -- and I can successfully kinit and authenticate as any AD user.
>
> The bummer is that I cannot successfully login via ssh using a domain
> credential.
>
> I think the final bit of machine is the pam files -- since this is ubuntu,
> I just modify the common- files so here they are:
> common-account
> # /etc/pam.d/common-account - authorization settings common to all services
> #
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> common-auth
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >=1000
> quiet_success
> auth sufficient pam_winbind.so user_first_pass
> auth required pam_deny.so
>
> # /etc/pam.d/common-password - password-related modules common to all
> services
> #
> password requisite pam_cracklib.so
> try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow
> nullok try_first_pass use_authtok
> password sufficient pam_winbind.so use_authtok
> password required pam_deny.so
>
> # /etc/pam.d/common-session - session-related modules common to all services
> #
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
> use_uid
> session required pam_unix.so
> session optional pam_systemd.so
> # end of pam-auth-update config
>
> ssh fails --
> If I try to su - ADuser I get a message
> Error in service module..
>
> I'm thinking the error must be in pam -- but need some advice.
>
>
>
>
>
>
Evidently you haven't read the guides correctly, your smb.conf is up the
spout!
Read this:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Follow the links and set up your smb.conf correctly, I will give you
some hints: you have no realm line, you have spelling mistakes, because
of this you have nowhere to store the builtin users & groups, you have
nowhere to store your domain users & groups, you do not create the
keytab - the join does it for you, I could go on.
Rowland
More information about the samba
mailing list