[Samba] ssh authentication with AD

David Bear dwbear75 at gmail.com
Wed Nov 4 23:33:33 UTC 2015 

Thanks for the pointers Oliver --

Rowland, I did review the smb.conf  file -- found typo's you alluded to,
and here is the current version
#======================= Global Settings =======================

[global]
   netbios name = HAT
   security = ADS
   realm = HA.EDU
   workgroup = HA
   server string = HATServer
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   idmap config *:backend = tdb
   idmap config *:range = 5000-9999
   idmap config HA:backend = rid
   idmap config HA:range = 10000-100000
   template shell = /bin/bash
   winbind nss info = template
   winbind allow trusted domains = no
   winbind trusted domains only = no
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind refresh tickets = yes
   template homedir = /home/%U
   template shell = /bin/bash
   encrypt passwords = yes

--------------------------

This configuration did not allow me yet to ssh in to the system. However, I
re-ran pam-auth-update and made sure the winbind section was selected.

This was the action that allow me to ssh in to the box -- The one remaining
problem is that the users home dir is not automatically created as I
assumed it would be with the line

template homedir = /home/%U

in smb.conf..

I think that ubuntu must put other things in the pam stack (which I left
in) that broke with the lines I added.

Now on the homedir creation -- is there script that needs to be in place?

My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm
not sure if they have been enabled in the AD to make things work .  which
is wy I used the rid method for the idmap config.


On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:

> Hi LPH & David,
>
> Im also interested in using kerberos authentication and tried your
> hints. Im using Ubuntu 14.04.3 Server on this machine.
>
> On 04.11.2015 08:52, L.P.H. van Belle wrote:
> > Ok, do the following.
> >
> > Remove all you modifications from pam so its back to original.
> >
> > apt-get install krb5-ssh
> > restart ssh, try again.
>
> @LPH: krb5-ssh doesnt exist in Ubuntu:
>
> # apt-get install krb5-ssh
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> E: Unable to locate package krb5-ssh
>
> But maybe you mean libpam-krb5?
>
> > Still not working?
> >
> > Now try correct pam.
> > Type : pam-auth-update
> > Select kerberos winbind and unix ( and keep other defaults as is )
>
> I didnt found "kerberos" in the selection-list. But with "libpam-krb5"
> installed it is shown.
>
> @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config?
> I see to select:
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> What should I enable from these?
> >
> > Type id username
> > You see a correct shell and correct and existing homedir?
> $ LANG=POSIX id oliver
> uid=1000(oliver) gid=1000(oliver)
>
> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd)
>
> Where should I see shell and homedir here?
>
> Tfh!
> Oliver
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
David Bear
mobile: (602) 903-6476

More information about the samba mailing list