[Samba] ssh authentication with AD

David Bear dwbear75 at gmail.com
Thu Nov 5 15:46:29 UTC 2015

Many thanks to all on the list who endured my poor abilities.. Here's some
things that I learned
1) there are probably too many writeups on how to do AD authentication with
samba and winbind that don't properly specify all the important things like
- this config works on Linux Distro X - and IF you are using a  Windows AD
backend, do Y, and check to make sure Package Z has already been installed
2) I'm not complaining about all the information, but so many times a HOWTO
is made for one set of 'assumptions' without stating all those assumptions
up front
3) Making AD authentication work is a great FEATURE that REQUIRES
understanding a LOT about a great many PARTS and PIECES -- For Years I have
avoided learning about PAM because the stack seemed to deep and I wasn't
willing to invest the time to understand it better because I just didn't
NEED it at the time. In a corporate environment with documentation and
system uniformity, you can get away with knowing minimal things about PAM
because you don't have to worry about all the variables. So, call me lazy
-- or just call me over booked..
4) In my case I as following writeups from 3 different sources and when it
came to the pam stack, I just didn't understand what was happening. Yes,
there were errors in the smb.conf file, but none of those errors manifested
when doing the checks with the 'id', 'getent', 'wbinfo' -- etc.
5) KUDO's to the samba documentation team, Rowland et, al., because the
info in the wiki does seem closest to the truth ... Sorry to have missed
the commented section "choose the following backends fitting your
requirements --' That did click with my brain, so I didn't click on the
config options... I wonder if the following might help there

### use the idmap config ad backend WHEN you know you have rfc2307
attributes turned on in your AD schema AND you want to use the AD to store
things like homedir, uid, gid, etc.
### use the idmap config rid backend WHEN you don't need to have common
uid/gid mappings between multiple linux services, i.e. you won't be sharing
files and you just want a quick and dirty way to allow users to ssh in to a
stand alone box

That may or may not be perfectly accurate, but it answers the question I
had in my mind when setting things up..

On Thu, Nov 5, 2015 at 1:31 AM, Rowland Penny <rowlandpenny241155 at gmail.com>

> On 04/11/15 23:33, David Bear wrote:
>> Thanks for the pointers Oliver --
>> Rowland, I did review the smb.conf  file -- found typo's you alluded to,
>> and here is the current version
>> #======================= Global Settings =======================
>> [global]
>>     netbios name = HAT
>>     security = ADS
>>     realm = HA.EDU
>>     workgroup = HA
>>     server string = HATServer
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     log file = /var/log/samba/log.%m
>>     max log size = 1000
>>     syslog = 0
>>     panic action = /usr/share/samba/panic-action %d
>>     idmap config *:backend = tdb
>>     idmap config *:range = 5000-9999
>>     idmap config HA:backend = rid
>>     idmap config HA:range = 10000-100000
>>     template shell = /bin/bash
>>     winbind nss info = template
>>     winbind allow trusted domains = no
>>     winbind trusted domains only = no
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>     winbind use default domain = yes
>>     winbind refresh tickets = yes
>>     template homedir = /home/%U
>>     template shell = /bin/bash
>>     encrypt passwords = yes
>> --------------------------
>> This configuration did not allow me yet to ssh in to the system. However,
>> I
>> re-ran pam-auth-update and made sure the winbind section was selected.
>> This was the action that allow me to ssh in to the box -- The one
>> remaining
>> problem is that the users home dir is not automatically created as I
>> assumed it would be with the line
>> template homedir = /home/%U
>> in smb.conf..
>> I think that ubuntu must put other things in the pam stack (which I left
>> in) that broke with the lines I added.
>> Now on the homedir creation -- is there script that needs to be in place?
> OK, know problem, on Debian I would run this on the server that will hold
> the users homedir i.e. the users workstation or the machine the user
> connects to via ssh:
> echo "session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022"
> >> /etc/pam.d/common-account
> Rowland
>> My AD is a pure windows AD domain -- so as far as rfc2307 attributes, I'm
>> not sure if they have been enabled in the AD to make things work .  which
>> is wy I used the rid method for the idmap config.
>> On Wed, Nov 4, 2015 at 1:34 AM, Oliver Rath <rath at mglug.de> wrote:
>> Hi LPH & David,
>>> Im also interested in using kerberos authentication and tried your
>>> hints. Im using Ubuntu 14.04.3 Server on this machine.
>>> On 04.11.2015 08:52, L.P.H. van Belle wrote:
>>>> Ok, do the following.
>>>> Remove all you modifications from pam so its back to original.
>>>> apt-get install krb5-ssh
>>>> restart ssh, try again.
>>> @LPH: krb5-ssh doesnt exist in Ubuntu:
>>> # apt-get install krb5-ssh
>>> Reading package lists... Done
>>> Building dependency tree
>>> Reading state information... Done
>>> E: Unable to locate package krb5-ssh
>>> But maybe you mean libpam-krb5?
>>> Still not working?
>>>> Now try correct pam.
>>>> Type : pam-auth-update
>>>> Select kerberos winbind and unix ( and keep other defaults as is )
>>> I didnt found "kerberos" in the selection-list. But with "libpam-krb5"
>>> installed it is shown.
>>> @David: Did you enable Kerberos authentication in /etc/ssh/sshd_config?
>>> I see to select:
>>> # Kerberos options
>>> #KerberosAuthentication no
>>> #KerberosGetAFSToken no
>>> #KerberosOrLocalPasswd yes
>>> #KerberosTicketCleanup yes
>>> What should I enable from these?
>>>> Type id username
>>>> You see a correct shell and correct and existing homedir?
>>> $ LANG=POSIX id oliver
>>> uid=1000(oliver) gid=1000(oliver)
>>> groups=1000(oliver),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare),114(scanner),124(saned),129(kvm),131(lxd)
>>> Where should I see shell and homedir here?
>>> Tfh!
>>> Oliver
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

David Bear
mobile: (602) 903-6476

More information about the samba mailing list