[Samba] FW: Problem with Active Directory authentication

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Thu Jun 9 18:00:05 UTC 2016 

Hi,

If you have the "template = /bin/bash" option, I think it is more likely
something wrong with the way ssh is trying to authenticate the username.
Do a "getent passwd" and then try "ssh -v  '<username exactly as getent
returns it (case sensitive)>'@<fqdn of server>.  If it doesn't work, post
the output of what ssh generates.


Mike E.


On Thu, Jun 9, 2016 at 1:28 PM, Kaplan, Andrew H. <AHKAPLAN at partners.org>
wrote:

> Hello --
>
> I tried the two methods listed in your e-mail, and unfortunately neither
> worked.
>
> The connection simply closed, or timed out, after about a minute.
>
> I mentioned the possibility of creating a symbolic link to the bash shell
> in my previous e-mail,
> could that be part of the solution?
>
> Thanks.
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com
> ]
> *Sent:* Thursday, June 09, 2016 1:11 PM
> *To:* Kaplan, Andrew H.
> *Cc:* samba-technical at lists.samba.org; samba at lists.samba.org
> *Subject:* Re: FW: [Samba] Problem with Active Directory authentication
>
> Hi,
>
> Try using the format <domainname><winbind separator><username> to login
> instead of <username>@<domainname>.  I'm not sure why, and don't have time
> to check into it right now, but ssh doesn't like the
> <username>@<domainname> format for me either.  The default winbind
> separator is a backslash "\", so you'll have to escape it, or quote it,
> like <domainname>\\<username> or '<domainname>\<username>'.  Hope that does
> the trick.
>
> Mike E.
>
>
> On Thu, Jun 9, 2016 at 11:19 AM Kaplan, Andrew H. <AHKAPLAN at partners.org>
> wrote:
>
>> A thought came to me:
>>
>> The smb.conf file on the system has the following entry:
>>
>> template shell =  /bin/bash
>>
>> Would creating a symbolic link with the name PHSshell pointing to the
>> /bin/bash shell solve the problem?
>>
>> ------------------------------
>> *From:* Kaplan, Andrew H.
>> *Sent:* Thursday, June 09, 2016 11:00 AM
>> *To:* Data Control Systems - Mike Elkevizth
>> *Cc:* samba-technical at lists.samba.org; samba at lists.samba.org
>> *Subject:* RE: [Samba] Problem with Active Directory authentication
>>
>> Hello --
>>
>> The output of the getent passwd command was the following:
>>
>>
>> <username>@<domainname>:*:##########:##########::/PHShome/<username>:/bin/PHSshell
>>
>>
>> ------------------------------
>> *From:* Data Control Systems - Mike Elkevizth [
>> mike at datacontrolsystems.com]
>> *Sent:* Wednesday, June 08, 2016 6:12 PM
>> *To:* Kaplan, Andrew H.
>> *Cc:* samba-technical at lists.samba.org; samba at lists.samba.org
>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>>
>> What does "getent passwd <username>@<domainname>"  return on the server
>> for the login shell.  By default a samba AD DC sets the login shell for all
>> Active Directory user accounts to /bin/false.  The only way I've found to
>> change this, is to override that globally with the "template shell =
>> /bin/bash" option in smb.conf, which enables it globally for all Active
>> Directory users (probably not desired).
>>
>> Mike E.
>>
>>
>> On Wed, Jun 8, 2016 at 3:46 PM, Kaplan, Andrew H. <AHKAPLAN at partners.org>
>> wrote:
>>
>>> Hello --
>>>
>>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a
>>> Vmware appliance. The goal of the installation is to create a Samba server
>>> that utilizes Active Directory authentication. To that end I utilized the
>>> following procedure:
>>>
>>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>>> >
>>>
>>> Afterwards, I referenced the following documentation to confirm that all
>>> configuration files had the appropriate entries:
>>>
>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>>
>>> The problem is the following: I am unable to log into the server from
>>> the console or via SSH using my Active Directory user account. The syntax
>>> that I use when doing an SSH connection is the following:
>>>
>>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>
>>> The output that was generated is the following:
>>>
>>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>> debug1: Connecting to <fully qualified domain name> [<ip address>] port
>>> 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>> debug1: Remote protocol version 2.0, remote software version
>>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> debug1: Server host key: ECDSA
>>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>> debug1: Host '<fully qualified domain name>' is known and matches the
>>> ECDSA host key.
>>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>> debug1: ssh_ecdsa_verify: signature correct
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: Roaming not allowed by server
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug1: Authentications that can continue: publickey,password
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>> debug1: Next authentication method: password
>>> <username>@<domainname>@<fully qualified domain name>'s password:
>>> Connection closed by <ip address>
>>>
>>> Does anyone have thoughts on this?
>>>
>>> Thanks.
>>>
>>>
>>> The information in this e-mail is intended only for the person to whom
>>> it is
>>> addressed. If you believe this e-mail was sent to you in error and the
>>> e-mail
>>> contains patient information, please contact the Partners Compliance
>>> HelpLine at
>>> http://www.partners.org/complianceline . If the e-mail was sent to you
>>> in error
>>> but does not contain patient information, please contact the sender and
>>> properly
>>> dispose of the e-mail.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>

More information about the samba mailing list