[Samba] Cannot log into Samba4 AD/DC with ssh as domain user
Mark Foley
mfoley at ohprs.org
Mon Dec 3 11:44:12 UTC 2018
Got it working! I did download the openssh source from https://www.openssh.com/
I added the --with-kerberos5 option to the configure script and otherwise used the options that
Slackware uses to build the package:
export CFLAGS="-O2 -fPIC"
export ARCH=`uname -m`
./configure \
--prefix=/usr \
--mandir=/usr/man \
--sysconfdir=/etc/ssh \
--without-pam \
--with-kerberos5 \
--with-md5-passwords \
--with-tcp-wrappers \
--with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
--with-privsep-path=/var/empty \
--with-privsep-user=sshd \
--build=$ARCH-slackware-linux
make
make install
That worked. I was able to ssh from a Linux domain member to the AC/DC as a domain user and was
plopped into the home directory as specified by 'getent passwd'.
--Mark
-----Original Message-----
Date: Sun, 02 Dec 2018 13:46:51 -0500
Organization: Ohio Highway Patrol Retirement System
To: samba at lists.samba.org
Subject: Re: [Samba] Cannot log into Samba4 AD/DC with ssh as domain user
On Sun, 2 Dec 2018 08:52:19 Rowland Penny wrote:
>
> On Sat, 1 Dec 2018 20:38:58 -0500
> Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>
> > On Sat, Dec 1, 2018 at 4:17 PM Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > >
> > > On Sat, 01 Dec 2018 15:23:36 -0500
> > > Mark Foley <mfoley at ohprs.org> wrote:
> > >
> > > > On Sat, 1 Dec 2018 12:09:18 Rowland Penny wrote:
> > > > >
> > > > > On Sat, 01 Dec 2018 06:26:42 -0500
> > > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > > >
> > > > > > From either a Linux or Mac domain member, I have tried logging
> > > > > > into the Samba4 AD server as a domain user:
> > > > > >
> > > > > > labmac:~ mark$ ssh mark at mail pwd
> > > > > > mark at mail's password:
> > > > > > Permission denied, please try again.
> > > > > >
> > > > > > where 'mail' is the AD/DC.
> > > > > >
> > > > > > It also fails if I am on the AD/DC an try the same ssh.
> > > > > >
> > > > > > I've tried setting either the GSSAPIAuthentication or
> > > > > > KerberosAuthentication in /etc/ssh/sshd_config, but those
> > > > > > don't help. I get:
> > > > > >
> > > > > > Dec 1 06:09:19 mail sshd[8645]: rexec line 89: Unsupported option
> > > > > > GSSAPIAuthentication Dec 1 06:09:19 mail sshd[8645]: reprocess
> > > > > >
> > > > > > Dec 1 06:16:54 mail sshd[21898]: rexec line 83: Unsupported
> > > > > > option KerberosAuthentication Dec 1 06:16:54 mail sshd[21898]:
> >
> > Stop here. If you have root privileges, add a *local* account on the
> > relevant system, and log in using the Kerberos credentials. If those
> > don't work, you have other issues.
>
> Just how is that going to work when the KDC is a Samba AD DC and a
> local account is just that, a local account that is unknown to
> kerberos ?
I was wondering the same.
> > Also, just because a host is an AD server does not mean that it is
> > configured to allow AD based logins. What is the OS of the AD server
> > you are trying to log into?
>
> Did you miss the part where the OP said he could login as an AD user ?
>
> My gut feeling is that he is suffering from an old problem, he is using
> Slackware without PAM.
I'm thinking the same. The domain member Slackware systems do have PAM installed. The AD/DC
does not. There is no problem logging onto the domain members.
>> Email clients on the domain members use kerberos/GSSAPI to
>> authenticate with the Dovecot mail server on the AD/DC. Perhaps this
>> is a clue?
> Doesn't Dovecot use ldap to authenticate (via kerberos) ?
The dovecot wiki lists various authentication methods, one of which is "GSSAPI: Kerberos v5
support." ldap is not mentioned, but is perhaps at some underlying level.
I think I'll try two things:
1. Rebuild sshd with KerberosAuthentication and KerberosAuthentication.
2. Install PAM
#1 seems like the quickest test. #2 I worry about. Although that works fine on the domain
members, PAM affects a number of different program and might be a bit more difficult to undo.
Supposedly, Slackware will include PAM in the next release.
I report back on the results.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list