[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
Rowland Penny
rpenny at samba.org
Sat Dec 1 21:15:29 UTC 2018
On Sat, 01 Dec 2018 15:23:36 -0500
Mark Foley <mfoley at ohprs.org> wrote:
> On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> >
> > On Sat, 01 Dec 2018 06:26:42 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > From either a Linux or Mac domain member, I have tried logging
> > > into the Samba4 AD server as a domain user:
> > >
> > > labmac:~ mark$ ssh mark at mail pwd
> > > mark at mail's password:
> > > Permission denied, please try again.
> > >
> > > where 'mail' is the AD/DC.
> > >
> > > It also fails if I am on the AD/DC an try the same ssh.
> > >
> > > I've tried setting either the GSSAPIAuthentication or
> > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't
> > > help. I get:
> > >
> > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess
> > > config line 89: Unsupported option GSSAPIAuthentication Dec 1
> > > 06:09:22 mail sshd[8645]: Failed password for mark from
> > > 192.168.0.61 port 55802 ssh2 Dec 1 06:09:24 mail sshd[8645]:
> > > Connection closed by 192.168.0.61 port 55802 [preauth]
> > >
> > > Dec 1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > option KerberosAuthentication Dec 1 06:16:54 mail sshd[21898]:
> > > reprocess config line 83: Unsupported option
> > > KerberosAuthentication Dec 1 06:16:57 mail sshd[21898]: Failed
> > > password for mark from 192.168.0.61 port 55809 ssh2 Dec 1
> > > 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port
> > > 55809 [preauth]
> > >
> > > The AD/DC host is Slackware and does not have PAM.
> > >
> > > Note that I can log in from the AD to the Linux domain member as a
> > > domain user.
> > >
> > > Is there a way to get domain users to ssh into the the AD? They do
> > > have home directories on this server?
> > >
> > > THX --Mark
> > >
> >
> > Have you set up the libnss-winbind links ?
> > Or to put it another way, does 'getent passwd mark' produce output
> > when run on the DC ?
> >
> > Rowland
>
> Yes, getent passwd on the DC gives:
>
> $ getent passwd mark
> mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>
> My /etc/nsswitch.conf on the DC has:
>
> passwd: compat winbind
> shadow: compat winbind
> group: compat winbind
Don't think this has a bearing on the situation, but, on Debian,
adding winbind to the shadow line gives problems.
>
> hosts: files dns
> networks: files
>
> services: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files
> bootparams: files
>
> automount: files
> aliases: files
>
> I suppose when authenticating login from domain members, Windows,
> Linux or Mac, the login mechanism is somehow communicting with the
> samba daemon, but ssh must not be using the same authentication
> mechanism?
Looks like it, it works on Devuan.
>
> Also, on the DC as a different normal (non-root) user, I cannot 'su -
> mark'. I get "su: Authentication failure". So, it's not just ssh
> having an issue.
Very strange
>
> Email clients on the domain members use kerberos/GSSAPI to
> authenticate with the Dovecot mail server on the AD/DC. Perhaps this
> is a clue?
Doesn't Dovecot use ldap to authenticate (via kerberos) ?
>
> Do I need to recompile sshd so that GSSAPIAuthentication or
> KerberosAuthentication are not unsupported? Maybe I also have to
> specify -K (Enables GSSAPI-based authentication) on the client-side
> ssh?
>
> Or, should this just work as is?
Not knowing how openssh is compiled on Slackware, I don't know if you
need to recompile it, all I can say is, it works for me.
Rowland
More information about the samba
mailing list