[Samba] Cannot log into Samba4 AD/DC with ssh as domain user

Rowland Penny rpenny at samba.org
Sat Dec 1 21:15:29 UTC 2018


On Sat, 01 Dec 2018 15:23:36 -0500
Mark Foley <mfoley at ohprs.org> wrote:

> On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> >
> > On Sat, 01 Dec 2018 06:26:42 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > From either a Linux or Mac domain member, I have tried logging
> > > into the Samba4 AD server as a domain user:
> > > 
> > > labmac:~ mark$ ssh mark at mail pwd
> > > mark at mail's password: 
> > > Permission denied, please try again.
> > > 
> > > where 'mail' is the AD/DC.
> > > 
> > > It also fails if I am on the AD/DC an try the same ssh.
> > > 
> > > I've tried setting either the GSSAPIAuthentication or
> > > KerberosAuthentication in /etc/ssh/sshd_config, but those don't
> > > help. I get:
> > > 
> > > Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> > > GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]: reprocess
> > > config line 89: Unsupported option GSSAPIAuthentication Dec  1
> > > 06:09:22 mail sshd[8645]: Failed password for mark from
> > > 192.168.0.61 port 55802 ssh2 Dec  1 06:09:24 mail sshd[8645]:
> > > Connection closed by 192.168.0.61 port 55802 [preauth]
> > > 
> > > Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > option KerberosAuthentication Dec  1 06:16:54 mail sshd[21898]:
> > > reprocess config line 83: Unsupported option
> > > KerberosAuthentication Dec  1 06:16:57 mail sshd[21898]: Failed
> > > password for mark from 192.168.0.61 port 55809 ssh2 Dec  1
> > > 06:17:00 mail sshd[21898]: Connection closed by 192.168.0.61 port
> > > 55809 [preauth]
> > > 
> > > The AD/DC host is Slackware and does not have PAM.
> > > 
> > > Note that I can log in from the AD to the Linux domain member as a
> > > domain user.
> > > 
> > > Is there a way to get domain users to ssh into the the AD? They do
> > > have home directories on this server?
> > > 
> > > THX --Mark
> > > 
> >
> > Have you set up the libnss-winbind links ?
> > Or to put it another way, does 'getent passwd mark' produce output
> > when run on the DC ?
> >
> > Rowland
> 
> Yes, getent passwd on the DC gives:
> 
> $ getent passwd mark
> mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> My /etc/nsswitch.conf on the DC has:
> 
> passwd:         compat winbind
> shadow:         compat winbind
> group:          compat winbind

Don't think this has a bearing on the situation, but, on Debian,
adding winbind to the shadow line gives problems.
 
> 
> hosts:          files dns
> networks:       files
> 
> services:       files
> protocols:      files
> rpc:            files
> ethers:         files
> netmasks:       files
> netgroup:       files
> bootparams:     files
> 
> automount:      files
> aliases:        files
> 
> I suppose when authenticating login from domain members, Windows,
> Linux or Mac, the login mechanism is somehow communicting with the
> samba daemon, but ssh must not be using the same authentication
> mechanism?

Looks like it, it works on Devuan.

> 
> Also, on the DC as a different normal (non-root) user, I cannot 'su -
> mark'. I get "su: Authentication failure". So, it's not just ssh
> having an issue.

Very strange

> 
> Email clients on the domain members use kerberos/GSSAPI to
> authenticate with the Dovecot mail server on the AD/DC. Perhaps this
> is a clue?

Doesn't Dovecot use ldap to authenticate (via kerberos) ?

> 
> Do I need to recompile sshd so that GSSAPIAuthentication or
> KerberosAuthentication are not unsupported? Maybe I also have to
> specify -K (Enables GSSAPI-based authentication) on the client-side
> ssh?
> 
> Or, should this just work as is?
 
Not knowing how openssh is compiled on Slackware, I don't know if you
need to recompile it, all I can say is, it works for me.

Rowland






More information about the samba mailing list