[Samba] Problem with Active Directory authentication

Tue Jun 14 14:53:01 UTC 2016

Hello --

I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the 
sshd_config file. I am listing the changes that were made for the benefit of the group:

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the
console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username>
command is entered at the console, the output reads as follows:

No passwd entry for <username>

The auth.log file has entries that read as follows:

Invalid user <username> from <ip address>
input_userauth_request: invalid user <username> [preauth]
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0 tty=ssh ruser= rhost=<hostname>

What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one?


From: samba [samba-bounces at lists.samba.org] on behalf of Rowland penny [rpenny at samba.org]
Sent: Monday, June 13, 2016 4:53 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Problem with Active Directory authentication

On 13/06/16 21:42, Kaplan, Andrew H. wrote:
> Hello --
> I have made considerable progress. When I am at the server console, I am able to enter my domain username and password, and I am able to log into the server. I had several follow-up questions:
> 1. How can I configure an SSH connection to the server that will utilize the active directory login?

If you mean 'user at samdom.example.com', then I don't think you can, but
you can use 'user at hostname'

> 2. When the login completes, I encounter the following error messages:
> Unknown parameter encountered: "netbios"
> Ignoring unknown parameter "netbios"
> Unknown parameter encountered: "winbind allow trusted domains"
> Ignoring unknown parameter "winbind allow trusted domains"
> I believe these go back to smb.conf file. The lines in question read as follows:
> netbios = <hostname>

This should be netbios name = <hostname>

> ...
> winbind allow trusted domains = no

I think this should be 'allow trusted domains = no'


> I checked the syntax of the two lines within the file, and everything looked fine.
> Does anyone have any thoughts on this?
> Thanks.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

More information about the samba mailing list