[Samba] ssh authentication with AD

L.P.H. van Belle belle at bazuin.nl
Thu Nov 5 07:41:16 UTC 2015 

Hai David, 

( you have : template shell = /bin/bash  twice in your config.. )  ;-) 

You have : idmap config HA:backend = rid  in you config, so no need for giving UID/GID to users. Thats what RID is doing for you. 

In debian ( and proberly ubuntu also ) pam_mkhomedir is in the libpam-modules package, so it should be there already.

Als Guilleherme also said, add
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 
to you pam config, this wil create you home directory for you. 
BUT one thing to remember..  You CANT share these folders between servers. 
If you want that, then you need to setup with config HA:backend = ad 

When above is done. 
Just enable this option and restart you ssh, and test. 
# GSSAPI options
GSSAPIAuthentication yes

Ow and If you using debian/ubuntu, use pam-auth-update.
And put the mkhomedir line outside the managed lined line of pam-auth-update. ( or create a profile file for it ) 


Your almost there, 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Bear
> Verzonden: donderdag 5 november 2015 0:34
> Aan: Oliver Rath
> CC: samba
> Onderwerp: Re: [Samba] ssh authentication with AD
> 
> Thanks for the pointers Oliver --
> 
> Rowland, I did review the smb.conf  file -- found typo's you alluded to,
> and here is the current version
> #======================= Global Settings =======================
> 
> [global]
>    netbios name = HAT
>    security = ADS
>    realm = HA.EDU
>    workgroup = HA
>    server string = HATServer
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    idmap config *:backend = tdb
>    idmap config *:range = 5000-9999
>    idmap config HA:backend = rid
>    idmap config HA:range = 10000-100000
>    template shell = /bin/bash
>    winbind nss info = template
>    winbind allow trusted domains = no
>    winbind trusted domains only = no
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind use default domain = yes
>    winbind refresh tickets = yes
>    template homedir = /home/%U
>    template shell = /bin/bash
>    encrypt passwords = yes
> 
> --------------------------
> 
> This configuration did not allow me yet to ssh in to the system. However,
> I
> re-ran pam-auth-update and made sure the winbind section was selected.
> 
> This was the action that allow me to ssh in to the box -- The one
> remaining
> problem is that the users home dir is not automatically created as I
> assumed it would be with the line
> 
> template homedir = /home/%U
> 
> in smb.conf..
> 
> I think that ubuntu must put other things in the pam stack (which I left
> in) that broke with the lines I added.
> 
> Now on the homedir creation -- is there script that needs to be in place?
> 
> My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm
> not sure if they have been enabled in the AD to make things work .  which
> is wy I used the rid method for the idmap config.
> 
> 
> On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:
> 
> > Hi LPH & David,
> >
> > Im also interested in using kerberos authentication and tried your
> > hints. Im using Ubuntu 14.04.3 Server on this machine.
> >
> > On 04.11.2015 08:52, L.P.H. van Belle wrote:
> > > Ok, do the following.
> > >
> > > Remove all you modifications from pam so its back to original.
> > >
> > > apt-get install krb5-ssh
> > > restart ssh, try again.
> >
> > @LPH: krb5-ssh doesnt exist in Ubuntu:
> >
> > # apt-get install krb5-ssh
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > E: Unable to locate package krb5-ssh
> >
> > But maybe you mean libpam-krb5?
> >
> > > Still not working?
> > >
> > > Now try correct pam.
> > > Type : pam-auth-update
> > > Select kerberos winbind and unix ( and keep other defaults as is )
> >
> > I didnt found "kerberos" in the selection-list. But with "libpam-krb5"
> > installed it is shown.
> >
> > @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config?
> > I see to select:
> >
> > # Kerberos options
> > #KerberosAuthentication no
> > #KerberosGetAFSToken no
> > #KerberosOrLocalPasswd yes
> > #KerberosTicketCleanup yes
> >
> > What should I enable from these?
> > >
> > > Type id username
> > > You see a correct shell and correct and existing homedir?
> > $ LANG=POSIX id oliver
> > uid=1000(oliver) gid=1000(oliver)
> >
> >
> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpad
> min),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd)
> >
> > Where should I see shell and homedir here?
> >
> > Tfh!
> > Oliver
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> 
> --
> David Bear
> mobile: (602) 903-6476
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list