[Samba] Problem with Active Directory authentication
Data Control Systems - Mike Elkevizth
mike at datacontrolsystems.com
Fri Jun 10 20:35:33 UTC 2016
Hi,
I'm not 100% sure about this, but that might mean that the NIS Extensions
are not installed in your AD directory. Is the domain controller a Samba
AD DC? If so you can see
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD about adding it.
Mike E.
On Fri, Jun 10, 2016 at 3:44 PM Kaplan, Andrew H. <AHKAPLAN at partners.org>
wrote:
> The problem that I am now facing is the fact there is no NIS domain that
> can be selected from the dropdown menu,
> which, in turn, prevents the login shell from being modified.
>
>
> ------------------------------
> *From:* Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com
> ]
> *Sent:* Friday, June 10, 2016 3:14 PM
> *To:* Kaplan, Andrew H.
> *Cc:* samba at lists.samba.org; Rowland penny
>
> *Subject:* Re: [Samba] Problem with Active Directory authentication
> Hi,
>
> You need to make sure that the user has the rfc2307 "loginShell:"
> attribute set. See
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
> for how to set it.
>
> Mike E.
>
>
> On Fri, Jun 10, 2016 at 2:11 PM, Kaplan, Andrew H. <AHKAPLAN at partners.org>
> wrote:
>
>> Hello --
>>
>> The version of Samba that I am running on the server is the 4.3.9 Ubuntu
>> package.
>>
>> To that end, I reconfigured the smb.conf file to reflect the entries
>> listed in your e-mail.
>>
>> I added the syntax: default shell = /bin/bash to the smb.conf file, and
>> restarted the samba and winbind daemons.
>> Unfortunately, the getent passwd command indicated the /bin/false shell
>> was still the default.
>>
>> What else do I need to do in order to correct this?
>>
>>
>> ------------------------------
>> *From:* Data Control Systems - Mike Elkevizth [
>> mike at datacontrolsystems.com]
>> *Sent:* Friday, June 10, 2016 1:40 PM
>> *To:* Kaplan, Andrew H.; samba at lists.samba.org
>> *Cc:* Rowland penny
>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>>
>> Hi,
>>
>> What version of Samba are you running (samba --version)? Some of the
>> smb.conf parameters have changed in more recent versions. I'm running the
>> standard version supplied with Ubuntu which is currently 4.3.9. My
>> configuration on member servers is as follows:
>>
>> [global]
>> # Base options
>> workgroup = <NETBIOS DOMAIN>
>> realm = <AD DOMAIN>
>> netbios name = <THIS MACHINE'S NETBIOS NAME>
>> security = ADS
>>
>> # Default idmap config used for BUILTIN and local accounts/groups
>> idmap config *:backend = tdb
>> idmap config *:range = 3000000-3999999
>>
>> idmap config for domain <NETBIOS DOMAIN>
>> idmap config <NETBIOS DOMAIN>:backend = ad
>> idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307
>> idmap config <NETBIOS DOMAIN>:range = 10000-20000
>>
>> # Use settings from AD for login shell and home directory
>> winbind nss info = rfc2307
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind offline logon = yes
>>
>> # Log options
>> log level = 1
>>
>> I think it looks like you're real issue now is the /bin/false shell,
>> which is the default if it isn't specifically set. The newer way to set
>> the shell is using rfc2307 attributes. See
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and
>> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC.
>> With a configuration similar to mine, and the correct shell set up in the
>> rfc2307 attributes for the user, I think you'll be all set.
>>
>> Mike E.
>>
>> On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <AHKAPLAN at partners.org>
>> wrote:
>>
>>> Hello --
>>>
>>> I removed the ldap and sssd packages from the server, and I am trying to
>>> get winbind to work on the system.
>>>
>>> The configuration of the /etc/samba/smb.conf file's global section is
>>> the following:
>>>
>>> [global]
>>>
>>> ## Browsing/Identification ###
>>>
>>> # Change this to the workgroup/NT-domain name your Samba server will
>>> part of
>>> security = ads
>>> realm = <domain name>
>>> workgroup = <domain>
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> template homedir = /home/%D/%U
>>> template shell = /bin/bash
>>> client use spnego = yes
>>> client ntlmv2 auth =yes
>>> encrypt passwords = yes
>>> winbind use default domain = yes
>>> restrict anonymous = 2
>>>
>>> While that of the /etc/nsswitch.conf file reads as follows:
>>>
>>>
>>> passwd: compat winbind
>>> group: compat winbind
>>> shadow: compat
>>>
>>> hosts: files dns
>>> ...
>>>
>>> The /etc/krb5.conf file has the domain name in capital letters for the
>>> default_realm entry in capital letters.
>>>
>>> I was able to join the server with the domain.
>>>
>>> When I ran the getent <username>@<DOMAINNAME> command, the output was
>>> the following:
>>>
>>> <DOMAINNAME>\<username>:*:10000:10005:<lastname>,
>>> <firstname>.:/home/<DOMAIN>/<username>:/bin/false
>>>
>>> I attempted to log into the system via ssh using the following command
>>> syntax:
>>>
>>> ssh -l <username>@<DOMAINNAME> <server fqdn>
>>>
>>> The connection was made, but it was immediately closed. I am guessing
>>> the /bin/false shell could be what is causing the problem.
>>>
>>> The auth.log file also had the following entries:
>>>
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth):
>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
>>> microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>>> getting password (0x00000388)
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth):
>>> pam_get_item returned a password
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user
>>> '<DOMAINNAME>\<username>' granted access
>>> Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for
>>> <username>@<DOMAINNAME> from <ip address> port 54879 ssh2
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>>> session opened for user <DOMAINNAME>\<username> by (uid=0)
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session):
>>> Failed to create session: No such file or directory
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>>> unknown option: umask
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session):
>>> unknown option: 0022
>>> Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip
>>> address>: disconnected by user
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session):
>>> session closed for user <DOMAINNAME>\<username>
>>> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred):
>>> user '<DOMAINNAME>\<username>' OK
>>>
>>> The pam-auth-update command indicated the following were enabled:
>>>
>>> Unix authentication
>>> Winbind NT/Active Directory authentication
>>>
>>> Register user sessions in the systemd control group hierarchy
>>> Inheritable Capabilities Management
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* Data Control Systems - Mike Elkevizth [
>>> mike at datacontrolsystems.com]
>>> *Sent:* Friday, June 10, 2016 10:45 AM
>>> *To:* Kaplan, Andrew H.; samba at lists.samba.org
>>> *Cc:* Rowland penny
>>>
>>> *Subject:* Re: [Samba] Problem with Active Directory authentication
>>> Hi,
>>>
>>> I have a feeling that Rowland is correct that all the different
>>> authentication methods are interfering with one another. I can say all I
>>> have is winbind and it works fine for me. My relevant pam-auth-update
>>> modules are:
>>>
>>> [*] Unix authentication
>>> [*] Winbind NT/Active Directory authentication
>>> [*] Register user sessions in the systemd control group hierarchy
>>> [*] Create home directory on login
>>>
>>> My relevant excerpt from /etc/nsswitch.conf is:
>>>
>>> passwd: compat winbind
>>> group: compat winbind
>>>
>>> If your smb.conf file includes the "template shell = /bin/bash" as you
>>> indicated earlier, but your getent password is returning /bin/PHSshell
>>> instead, I think the information is being returned by a service other than
>>> winbind. Depending on how pam is configured, generally the order listed
>>> when you run pam-auth-update will be the order in which the services are
>>> tried. So the first one listed there is probably the one returning the
>>> info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and
>>> server) doesn't like the username in the format <username>@<domainname> and
>>> this isn't the format that winbind would return the information, at least
>>> not by default. For me getent passwd <username>@<domainname> would return
>>> the user as <domainname>\<username>. I would try running pam-auth-update
>>> and disabling the LDAP and SSSD authentication methods and see if getent
>>> passwd returns different info.
>>>
>>> Your first post looked to me like the authentication was succeeding, but
>>> then the shell was wrong and so you were immediately logged out. Like you
>>> mentioned in a previous post, the /bin/PHSshell is probably one the issue
>>> because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash
>>> would fix this, but more than likely, it is a configuration issue that is
>>> returning the wrong shell in the first place. Is PHS your netbios domain
>>> name? If it is, it's probably the LDAP or SSSD configuration that is
>>> retuning the shell using a substitution that isn't set up correctly.
>>>
>>> Good luck,
>>>
>>> Mike E.
>>>
>>> On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <rpenny at samba.org> wrote:
>>>
>>>> On 10/06/16 13:46, Kaplan, Andrew H. wrote:
>>>> > Hello --
>>>> >
>>>> > The winbind packages that are installed on the server are the
>>>> following:
>>>> >
>>>> > Package
>>>> Description
>>>> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>>> Samba nameservice integration plugins
>>>> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows
>>>> domain authentication integration plugin
>>>> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>>> Samba winbind client library
>>>> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64
>>>> service to resolve user and group information from Windows NT servers
>>>> >
>>>> > Similarly, the ldap PAM packages are as follows:
>>>> >
>>>> > Package
>>>> Description
>>>> > ldap-auth-client 0.5.3
>>>> all meta-package for LDAP authentication
>>>> > ldap-auth-config 0.5.3 all
>>>> Config package for LDAP authentication
>>>> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64
>>>> OpenLDAP utilities
>>>> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64
>>>> OpenLDAP libraries
>>>> > libldb1 1.1.24-0ubuntu0.14.04.1
>>>> amd64 LDAP-like embedded database - shared library
>>>> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64
>>>> NSS module for using LDAP as a naming service
>>>> > libpam-ldap 184-8.5ubuntu3 amd64
>>>> Pluggable Authentication Module for LDAP
>>>> > sssd-ldap 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- LDAP back end
>>>> >
>>>> > Finally, the sssd packages are the following:
>>>> >
>>>> > Package
>>>> Description
>>>> > libsss-idmap0 1.11.5-1ubuntu3 amd64
>>>> ID mapping library for SSSD
>>>> > sssd 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- metapackage
>>>> > sssd-ad 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- Active Directory back end
>>>> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System
>>>> Security Services Daemon -- PAC responder
>>>> > sssd-common 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- common files
>>>> > sssd-ipa 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- IPA back end
>>>> > sssd-krb5 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- Kerberos back end
>>>> > sssd-krb5-common 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- Kerberos helpers
>>>> > sssd-ldap 1.11.5-1ubuntu3
>>>> amd64 System Security Services Daemon -- LDAP back end
>>>> > sssd-proxy 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- proxy back end
>>>> > sssd-tools 1.11.5-1ubuntu3 amd64
>>>> System Security Services Daemon -- tools
>>>> >
>>>> > Will removing all packages for the first two groups solve this
>>>> problem?
>>>> >
>>>> > From: samba [samba-bounces at lists.samba.org] on behalf of Rowland
>>>> penny [rpenny at samba.org]
>>>> > Sent: Friday, June 10, 2016 8:29 AM
>>>> > To: samba at lists.samba.org
>>>> > Subject: Re: [Samba] Problem with Active Directory authentication
>>>> >
>>>> > On 10/06/16 12:47, Kaplan, Andrew H. wrote:
>>>> >> Hello --
>>>> >>
>>>> >> I started a thread on the list that you suggested in your e-mail,
>>>> and thank-you for the reference.
>>>> >>
>>>> >> Also, I checked the auth.log file on the server, and the following
>>>> entries were present:
>>>> >>
>>>> >> I checked the auth.log file, and the following entries were present:
>>>> >>
>>>> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>>> user=<username>@<domainname>
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>>> getting password (0x00000388)
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth):
>>>> pam_get_item returned a password
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn>
>>>> user=username>@<domainname>
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth):
>>>> received for user username>@<domainname> 17 (Failure setting user
>>>> credentials)
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open
>>>> secret file /etc/ldap.secret (No such file or directory)
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap:
>>>> ldap_simple_bind Can't contact LDAP server
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to
>>>> LDAP server...
>>>> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap:
>>>> ldap_simple_bind Can't contact LDAP server
>>>> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for
>>>> invalid user username>@<domainname>from <ip address> port 49847 ssh2
>>>> >>
>>>> >>
>>>> >> ________________________________________
>>>> >> From: Sumit Bose [sbose at redhat.com]
>>>> >> Sent: Friday, June 10, 2016 4:44 AM
>>>> >> To: Kaplan, Andrew H.
>>>> >> Cc: samba-technical at lists.samba.org; samba at lists.samba.org
>>>> >> Subject: Re: Problem with Active Directory authentication
>>>> >>
>>>> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote:
>>>> >>> Hello --
>>>> >>>
>>>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine
>>>> on a Vmware appliance. The goal of the installation is to create a Samba
>>>> server that utilizes Active Directory authentication. To that end I
>>>> utilized the following procedure:
>>>> >>>
>>>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<
>>>> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/
>>>> >
>>>> >>>
>>>> >>> Afterwards, I referenced the following documentation to confirm
>>>> that all configuration files had the appropriate entries:
>>>> >>>
>>>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>>>> >> The sssd-users list
>>>> >>
>>>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/
>>>> >> might be more appropriate for your question.
>>>> >>
>>>> >> As a general comment, the PAM configuration is important here. Please
>>>> >> check the system logs which PAM module was consulted during the login
>>>> >> attempt and which cause the rejection.
>>>> >>
>>>> >> HTH
>>>> >>
>>>> >> bye,
>>>> >> Sumit
>>>> >>
>>>> >>> The problem is the following: I am unable to log into the server
>>>> from the console or via SSH using my Active Directory user account. The
>>>> syntax that I use when doing an SSH connection is the following:
>>>> >>>
>>>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name>
>>>> >>>
>>>> >>> The output that was generated is the following:
>>>> >>>
>>>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013
>>>> >>> debug1: Reading configuration data /etc/ssh/ssh_config
>>>> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for *
>>>> >>> debug1: Connecting to <fully qualified domain name> [<ip address>]
>>>> port 22.
>>>> >>> debug1: Connection established.
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1
>>>> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1
>>>> >>> debug1: Remote protocol version 2.0, remote software version
>>>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
>>>> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH*
>>>> >>> debug1: Enabling compatibility mode for protocol 2.0
>>>> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4
>>>> >>> debug1: SSH2_MSG_KEXINIT sent
>>>> >>> debug1: SSH2_MSG_KEXINIT received
>>>> >>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>>> >>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>>> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT
>>>> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>>> >>> debug1: Server host key: ECDSA
>>>> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17
>>>> >>> debug1: Host '<fully qualified domain name>' is known and matches
>>>> the ECDSA host key.
>>>> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29
>>>> >>> debug1: ssh_ecdsa_verify: signature correct
>>>> >>> debug1: SSH2_MSG_NEWKEYS sent
>>>> >>> debug1: expecting SSH2_MSG_NEWKEYS
>>>> >>> debug1: SSH2_MSG_NEWKEYS received
>>>> >>> debug1: Roaming not allowed by server
>>>> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>>> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>> >>> debug1: Authentications that can continue: publickey,password
>>>> >>> debug1: Next authentication method: publickey
>>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa
>>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa
>>>> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa
>>>> >>> debug1: Next authentication method: password
>>>> >>> <username>@<domainname>@<fully qualified domain name>'s password:
>>>> >>> Connection closed by <ip address>
>>>> >>>
>>>> >>> Does anyone have thoughts on this?
>>>> >>>
>>>> >>> Thanks.
>>>> >>>
>>>> >>>
>>>> >>> The information in this e-mail is intended only for the person to
>>>> whom it is
>>>> >>> addressed. If you believe this e-mail was sent to you in error and
>>>> the e-mail
>>>> >>> contains patient information, please contact the Partners
>>>> Compliance HelpLine at
>>>> >>> http://www.partners.org/complianceline . If the e-mail was sent to
>>>> you in error
>>>> >>> but does not contain patient information, please contact the sender
>>>> and properly
>>>> >>> dispose of the e-mail.
>>>> > As Sumit has said, this should be on the sssd mailing list.
>>>> > From your log fragment, it looks like you have the winbind and ldap
>>>> PAM
>>>> > packages installed, you do not need them.
>>>> >
>>>> > Rowland
>>>> >
>>>> >
>>>> > --
>>>> > To unsubscribe from this list go to the following URL and read the
>>>> > instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>> I am not entirely sure, what I can say is that you are using three
>>>> different methods of authentication, winbindd, ldap and sssd, surely you
>>>> don't need all three ?
>>>>
>>>> If you decide to use sssd, then ask on their mailing list what sssd
>>>> packages you need and what you should remove.
>>>> If you decide to use LDAP, then this probably entails using nslcd, find
>>>> their mailing list and ask them.
>>>> If you decide to use winbindd (the Samba recommended way), then this is
>>>> the place to ask and I would suggest you have a look here:
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>
More information about the samba
mailing list