[Samba] Cannot log into Samba4 AD/DC with ssh as domain user

Sun Dec 2 18:46:51 UTC 2018

On Sun, 2 Dec 2018 08:52:19 Rowland Penny wrote:
>
> On Sat, 1 Dec 2018 20:38:58 -0500
> Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>
> > On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > >
> > > On Sat, 01 Dec 2018 15:23:36 -0500
> > > Mark Foley <mfoley at ohprs.org> wrote:
> > >
> > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> > > > >
> > > > > On Sat, 01 Dec 2018 06:26:42 -0500
> > > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > > >
> > > > > > From either a Linux or Mac domain member, I have tried logging
> > > > > > into the Samba4 AD server as a domain user:
> > > > > >
> > > > > > labmac:~ mark$ ssh mark at mail pwd
> > > > > > mark at mail's password:
> > > > > > Permission denied, please try again.
> > > > > >
> > > > > > where 'mail' is the AD/DC.
> > > > > >
> > > > > > It also fails if I am on the AD/DC an try the same ssh.
> > > > > >
> > > > > > I've tried setting either the GSSAPIAuthentication or
> > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those
> > > > > > don't help. I get:
> > > > > >
> > > > > > Dec  1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> > > > > > GSSAPIAuthentication Dec  1 06:09:19 mail sshd[8645]: reprocess
> > > > > > 
> > > > > > Dec  1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > > > > option KerberosAuthentication Dec  1 06:16:54 mail sshd[21898]:

> > 
> > Stop here. If you have root privileges, add a *local* account on the
> > relevant system, and log in using the Kerberos credentials. If those
> > don't work, you have other issues.
>
> Just how is that going to work when the KDC is a Samba AD DC and a
> local account is just that, a local account that is unknown to
> kerberos ?

I was wondering the same.

> > Also, just because a host is an AD server does not mean that it is
> > configured to allow AD based logins. What is the OS of the AD server
> > you are trying to log into?
>
> Did you miss the part where the OP said he could login as an AD user ?
>
> My gut feeling is that he is suffering from an old problem, he is using
> Slackware without PAM.

I'm thinking the same. The domain member Slackware systems do have PAM installed. The AD/DC
does not. There is no problem logging onto the domain members.

>> Email clients on the domain members use kerberos/GSSAPI to
>> authenticate with the Dovecot mail server on the AD/DC. Perhaps this
>> is a clue?

> Doesn't Dovecot use ldap to authenticate (via kerberos) ?

The dovecot wiki lists various authentication methods, one of which is "GSSAPI: Kerberos v5
support." ldap is not mentioned, but is perhaps at some underlying level.

I think I'll try two things:

1. Rebuild sshd with KerberosAuthentication and KerberosAuthentication.

2. Install PAM

#1 seems like the quickest test. #2 I worry about. Although that works fine on the domain
members, PAM affects a number of different program and might be a bit more difficult to undo.

Supposedly, Slackware will include PAM in the next release.

I report back on the results.