[Samba] Problem with Active Directory authentication
Rowland penny
rpenny at samba.org
Fri Jun 10 17:54:18 UTC 2016
On 10/06/16 17:49, Kaplan, Andrew H. wrote:
> Hello --
>
> I removed the ldap and sssd packages from the server, and I am trying
> to get winbind to work on the system.
>
> The configuration of the /etc/samba/smb.conf file's global section is
> the following:
>
> [global]
>
> ## Browsing/Identification ###
>
> # Change this to the workgroup/NT-domain name your Samba server will
> part of
> security = ads
> realm = <domain name>
> workgroup = <domain>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/bash
> client use spnego = yes
> client ntlmv2 auth =yes
> encrypt passwords = yes
> winbind use default domain = yes
> restrict anonymous = 2
>
> While that of the /etc/nsswitch.conf file reads as follows:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> ...
>
> The /etc/krb5.conf file has the domain name in capital letters for the
> default_realm entry in capital letters.
>
> I was able to join the server with the domain.
>
> When I ran the getent <username>@<DOMAINNAME> command, the output was
> the following:
>
> <DOMAINNAME>\<username>:*:10000:10005:<lastname>,
> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>
> I attempted to log into the system via ssh using the following command
> syntax:
>
> ssh -l <username>@<DOMAINNAME> <server fqdn>
>
> The connection was made, but it was immediately closed. I am guessing
> the /bin/false shell could be what is causing the problem.
>
> The auth.log file also had the following entries:
>
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
> getting password (0x00000388)
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
> pam_get_item returned a password
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
> user '<DOMAINNAME>\<username>' granted access
> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for
> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
> session opened for user <DOMAINNAME>\<username> by (uid=0)
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session):
> Failed to create session: No such file or directory
> Jun 10 12:44:00 <samba server> sshd[13560]:
> pam_mkhomedir(sshd:session): unknown option: umask
> Jun 10 12:44:00 <samba server> sshd[13560]:
> pam_mkhomedir(sshd:session): unknown option: 0022
> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from
> <ip address>: disconnected by user
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
> session closed for user <DOMAINNAME>\<username>
> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred):
> user '<DOMAINNAME>\<username>' OK
>
> The pam-auth-update command indicated the following were enabled:
>
> Unix authentication
> Winbind NT/Active Directory authentication
> Register user sessions in the systemd control group hierarchy
> Inheritable Capabilities Management
>
>
Try looking here for info on how to set up a domain member:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
I know it works, because it is based on my smb.conf
I also have this line in smb.conf: 'winbind use default domain = yes'
This means I don't have to use the domain name, when I ssh into the DC,
I just do this:
rowland at debnet:~$ ssh rowland at dc1
rowland at dc1's password:
Linux dc1 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) x86_64
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 10 18:44:25 2016 from debnet.samdom.example.com
I have never been able to login using the users UPN, I have a feeling
the code to do this, just isn't there.
Rowland
More information about the samba
mailing list