[Samba] ssh authentication with AD
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Nov 5 08:31:09 UTC 2015
On 04/11/15 23:33, David Bear wrote:
> Thanks for the pointers Oliver --
>
> Rowland, I did review the smb.conf file -- found typo's you alluded to,
> and here is the current version
> #======================= Global Settings =======================
>
> [global]
> netbios name = HAT
> security = ADS
> realm = HA.EDU
> workgroup = HA
> server string = HATServer
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> idmap config *:backend = tdb
> idmap config *:range = 5000-9999
> idmap config HA:backend = rid
> idmap config HA:range = 10000-100000
> template shell = /bin/bash
> winbind nss info = template
> winbind allow trusted domains = no
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> template homedir = /home/%U
> template shell = /bin/bash
> encrypt passwords = yes
>
> --------------------------
>
> This configuration did not allow me yet to ssh in to the system. However, I
> re-ran pam-auth-update and made sure the winbind section was selected.
>
> This was the action that allow me to ssh in to the box -- The one remaining
> problem is that the users home dir is not automatically created as I
> assumed it would be with the line
>
> template homedir = /home/%U
>
> in smb.conf..
>
> I think that ubuntu must put other things in the pam stack (which I left
> in) that broke with the lines I added.
>
> Now on the homedir creation -- is there script that needs to be in place?
OK, know problem, on Debian I would run this on the server that will
hold the users homedir i.e. the users workstation or the machine the
user connects to via ssh:
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022"
>> /etc/pam.d/common-account
Rowland
>
> My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm
> not sure if they have been enabled in the AD to make things work . which
> is wy I used the rid method for the idmap config.
>
>
> On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:
>
>> Hi LPH & David,
>>
>> Im also interested in using kerberos authentication and tried your
>> hints. Im using Ubuntu 14.04.3 Server on this machine.
>>
>> On 04.11.2015 08:52, L.P.H. van Belle wrote:
>>> Ok, do the following.
>>>
>>> Remove all you modifications from pam so its back to original.
>>>
>>> apt-get install krb5-ssh
>>> restart ssh, try again.
>> @LPH: krb5-ssh doesnt exist in Ubuntu:
>>
>> # apt-get install krb5-ssh
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> E: Unable to locate package krb5-ssh
>>
>> But maybe you mean libpam-krb5?
>>
>>> Still not working?
>>>
>>> Now try correct pam.
>>> Type : pam-auth-update
>>> Select kerberos winbind and unix ( and keep other defaults as is )
>> I didnt found "kerberos" in the selection-list. But with "libpam-krb5"
>> installed it is shown.
>>
>> @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config?
>> I see to select:
>>
>> # Kerberos options
>> #KerberosAuthentication no
>> #KerberosGetAFSToken no
>> #KerberosOrLocalPasswd yes
>> #KerberosTicketCleanup yes
>>
>> What should I enable from these?
>>> Type id username
>>> You see a correct shell and correct and existing homedir?
>> $ LANG=POSIX id oliver
>> uid=1000(oliver) gid=1000(oliver)
>>
>> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd)
>>
>> Where should I see shell and homedir here?
>>
>> Tfh!
>> Oliver
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list