[Samba] ssh authentication with AD

Guilherme Boing kolt+samba at frag.com.br
Thu Nov 5 00:40:40 UTC 2015 

homedir is created by pam

on CentOS 6/7, edit /etc/pam.d/password-auth and add this:
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022

On Wed, Nov 4, 2015 at 9:33 PM, David Bear <dwbear75 at gmail.com> wrote:

> Thanks for the pointers Oliver --
>
> Rowland, I did review the smb.conf  file -- found typo's you alluded to,
> and here is the current version
> #======================= Global Settings =======================
>
> [global]
>    netbios name = HAT
>    security = ADS
>    realm = HA.EDU
>    workgroup = HA
>    server string = HATServer
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    idmap config *:backend = tdb
>    idmap config *:range = 5000-9999
>    idmap config HA:backend = rid
>    idmap config HA:range = 10000-100000
>    template shell = /bin/bash
>    winbind nss info = template
>    winbind allow trusted domains = no
>    winbind trusted domains only = no
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind use default domain = yes
>    winbind refresh tickets = yes
>    template homedir = /home/%U
>    template shell = /bin/bash
>    encrypt passwords = yes
>
> --------------------------
>
> This configuration did not allow me yet to ssh in to the system. However, I
> re-ran pam-auth-update and made sure the winbind section was selected.
>
> This was the action that allow me to ssh in to the box -- The one remaining
> problem is that the users home dir is not automatically created as I
> assumed it would be with the line
>
> template homedir = /home/%U
>
> in smb.conf..
>
> I think that ubuntu must put other things in the pam stack (which I left
> in) that broke with the lines I added.
>
> Now on the homedir creation -- is there script that needs to be in place?
>
> My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm
> not sure if they have been enabled in the AD to make things work .  which
> is wy I used the rid method for the idmap config.
>
>
> On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:
>
> > Hi LPH & David,
> >
> > Im also interested in using kerberos authentication and tried your
> > hints. Im using Ubuntu 14.04.3 Server on this machine.
> >
> > On 04.11.2015 08:52, L.P.H. van Belle wrote:
> > > Ok, do the following.
> > >
> > > Remove all you modifications from pam so its back to original.
> > >
> > > apt-get install krb5-ssh
> > > restart ssh, try again.
> >
> > @LPH: krb5-ssh doesnt exist in Ubuntu:
> >
> > # apt-get install krb5-ssh
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > E: Unable to locate package krb5-ssh
> >
> > But maybe you mean libpam-krb5?
> >
> > > Still not working?
> > >
> > > Now try correct pam.
> > > Type : pam-auth-update
> > > Select kerberos winbind and unix ( and keep other defaults as is )
> >
> > I didnt found "kerberos" in the selection-list. But with "libpam-krb5"
> > installed it is shown.
> >
> > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config?
> > I see to select:
> >
> > # Kerberos options
> > #KerberosAuthentication no
> > #KerberosGetAFSToken no
> > #KerberosOrLocalPasswd yes
> > #KerberosTicketCleanup yes
> >
> > What should I enable from these?
> > >
> > > Type id username
> > > You see a correct shell and correct and existing homedir?
> > $ LANG=POSIX id oliver
> > uid=1000(oliver) gid=1000(oliver)
> >
> >
> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd)
> >
> > Where should I see shell and homedir here?
> >
> > Tfh!
> > Oliver
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
> --
> David Bear
> mobile: (602) 903-6476
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list