[Samba] ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET

Rowland Penny rpenny at samba.org
Tue May 9 15:15:36 UTC 2017 

On Tue, 9 May 2017 11:00:09 -0400
Robert Kudyba via samba <samba at lists.samba.org> wrote:

> Running Feora 25 workstation we're able to register the computer in
> AD but I can't get SSH to authenticate properly.  wbinfo -u brings
> back all the users. Just getting "Permission denied, please try
> again." Below are key settings in related conf files.
> 
> rpm -q samba
> samba-4.5.8-1.fc25.x86_64
> 
> winbindd -V
> Version 4.5.8
> 
> /etc/nsswitch.conf:
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> hosts:      files dns
> 
> /etc/samba/smb.conf:
> [global]
> 	workgroup = DSDEV
> 	realm = DSDEV.LOCAL
> 	security = ads
> 	idmap.config *:backend	= tdb
> 	idmap.config *:range	= 100000-199999
> 	idmap.config DSDEV: backend	= rid
> 	idmap.config DSDEV: range	= 1000000-4999999
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	winbind separator = +
> 	template homedir = /home/%D/%U
> 	template shell = /bin/bash
> #	winbind use default domain = true
> 	winbind offline logon = true
> 	passdb backend = tdbsam
> 	printing = cups
> 	printcap name = cups
> 	load printers = yes
> 	cups options = raw
> #	ldap ssl ads = yes
> #	ldap ssl = start tls
>         client use spnego = yes
>         client ntlmv2 auth = yes
>         encrypt passwords = yes
>         winbind use default domain = yes
>         restrict anonymous = 2
> 	log level = 3
> 
> /etc/krb5.conf:
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>  default_realm = DSDEV.LOCAL
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
> [domain_realm]
> .dsdev = DSDEV.LOCAL
> dsdev = DSDEV.LOCAL
> dsdev.local = DSDEV.LOCAL
> .dsdev.local = DSDEV.LOCAL
> 
> /etc/ssh/ssd_config:
> ChallengeResponseAuthentication no
> KerberosAuthentication yes
> KerberosTicketCleanup yes
> KerberosGetAFSToken yes
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> /etc/resolv.conf:
> search dsdev.local ourdomain
> nameserver y.y.y.y.
> nameserver x.x.x.x
> 
> /etc/pam.d/password-auth-ac:
> auth        required	  pam_env.so
> auth        [default=1 success=ok] pam_localuser.so
> auth        [success=done ignore=ignore default=die] pam_unix.so
> nullok try_first_pass auth        requisite     pam_succeed_if.so uid
> >= 1000 quiet_success auth        sufficient    pam_sss.so
> >forward_pass
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required	  pam_deny.so
> 
> account     required	  pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     [default=bad success=ok user_unknown=ignore]
> pam_winbind.so cached_login account     required
> pam_permit.so
> 
> Some logs from log.wb-DSDEV:
> [2017/05/09 10:05:36.038999,
> 3] ../source3/winbindd/winbindd_ads.c:412(query_user_list) ads
> query_user_list gave 43369 entries [2017/05/09 10:06:09.770858,
> 3] ../source3/winbindd/winbindd_dual.c:60(child_read_request)
> child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
> [2017/05/09 10:09:40.556738,
> 3] ../source3/winbindd/winbindd_ads.c:1495(sequence_number) ads:
> fetch sequence_number for DSDEV [2017/05/09 10:09:40.557560,
> 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/05/09 10:09:40.560753,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 172.17.132.28
> 
> I've scanned the previous thread here:
> https://groups.google.com/forum/#!topic/linux.samba/XhVnPg-HMF8
> 
> And I didn't compile I'm using the packages via DNF so no need for
> the sym links. I have log level set to 3 but I didn’t want to
> overwhelm my post any more.

is sssd installed ?

If so, try removing it,sssd has its own version of a winbind lib and
this can conflict with winbind.

You also only need this in /etc/krb5/conf for Samba:

[libdefaults]
 default_realm = DSDEV.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true

The first two lines in yours have been known to confuse Samba.

Rowland

More information about the samba mailing list