[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Robert Kudyba rkudyba at fordham.edu
Tue May 9 15:00:09 UTC 2017

Running Feora 25 workstation we're able to register the computer in AD but I can't get SSH to authenticate properly.  wbinfo -u brings back all the users. Just getting "Permission denied, please try again." Below are key settings in related conf files.

rpm -q samba

winbindd -V
Version 4.5.8

passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns

	workgroup = DSDEV
	realm = DSDEV.LOCAL
	security = ads
	idmap.config *:backend	= tdb
	idmap.config *:range	= 100000-199999
	idmap.config DSDEV: backend	= rid
	idmap.config DSDEV: range	= 1000000-4999999
	winbind enum users = yes
	winbind enum groups = yes
	winbind separator = +
	template homedir = /home/%D/%U
	template shell = /bin/bash
#	winbind use default domain = true
	winbind offline logon = true
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw
#	ldap ssl ads = yes
#	ldap ssl = start tls
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2
	log level = 3

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = DSDEV.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}
.dsdev = DSDEV.LOCAL
dsdev.local = DSDEV.LOCAL
.dsdev.local = DSDEV.LOCAL

ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

search dsdev.local ourdomain
nameserver y.y.y.y.
nameserver x.x.x.x

auth        required	  pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required	  pam_deny.so

account     required	  pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required	  pam_permit.so

Some logs from log.wb-DSDEV:
[2017/05/09 10:05:36.038999,  3] ../source3/winbindd/winbindd_ads.c:412(query_user_list)
  ads query_user_list gave 43369 entries
[2017/05/09 10:06:09.770858,  3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
  child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
[2017/05/09 10:09:40.556738,  3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number)
  ads: fetch sequence_number for DSDEV
[2017/05/09 10:09:40.557560,  3] ../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/05/09 10:09:40.560753,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server

I've scanned the previous thread here:

And I didn't compile I'm using the packages via DNF so no need for the sym links. I have log level set to 3 but I didn’t want to overwhelm my post any more.

More information about the samba mailing list