[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
Robert Kudyba
rkudyba at fordham.edu
Tue May 9 15:00:09 UTC 2017
Running Feora 25 workstation we're able to register the computer in AD but I can't get SSH to authenticate properly. wbinfo -u brings back all the users. Just getting "Permission denied, please try again." Below are key settings in related conf files.
rpm -q samba
samba-4.5.8-1.fc25.x86_64
winbindd -V
Version 4.5.8
/etc/nsswitch.conf:
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns
/etc/samba/smb.conf:
[global]
workgroup = DSDEV
realm = DSDEV.LOCAL
security = ads
idmap.config *:backend = tdb
idmap.config *:range = 100000-199999
idmap.config DSDEV: backend = rid
idmap.config DSDEV: range = 1000000-4999999
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
template homedir = /home/%D/%U
template shell = /bin/bash
# winbind use default domain = true
winbind offline logon = true
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
# ldap ssl ads = yes
# ldap ssl = start tls
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
log level = 3
/etc/krb5.conf:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DSDEV.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[domain_realm]
.dsdev = DSDEV.LOCAL
dsdev = DSDEV.LOCAL
dsdev.local = DSDEV.LOCAL
.dsdev.local = DSDEV.LOCAL
/etc/ssh/ssd_config:
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
/etc/resolv.conf:
search dsdev.local ourdomain
nameserver y.y.y.y.
nameserver x.x.x.x
/etc/pam.d/password-auth-ac:
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
Some logs from log.wb-DSDEV:
[2017/05/09 10:05:36.038999, 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list)
ads query_user_list gave 43369 entries
[2017/05/09 10:06:09.770858, 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
[2017/05/09 10:09:40.556738, 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number)
ads: fetch sequence_number for DSDEV
[2017/05/09 10:09:40.557560, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", *"
[2017/05/09 10:09:40.560753, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 172.17.132.28
I've scanned the previous thread here:
https://groups.google.com/forum/#!topic/linux.samba/XhVnPg-HMF8
And I didn't compile I'm using the packages via DNF so no need for the sym links. I have log level set to 3 but I didn’t want to overwhelm my post any more.
More information about the samba
mailing list