[Samba] entering password twice

L.P.H. van Belle belle at bazuin.nl
Fri Sep 11 07:42:51 UTC 2020


Hai Bob,

Ah, yes, thats a part i havent showed.  ;-) 
First, i suggest, revert back to the original files.

On debian or ubuntu, its not needed to adjust the pam files. (manualy)

Check the following. 
Users and Primary Group, must have a UID/GID. 
If you use groups to allow ssh logins, that group needs a GID. 

You need to have, installed. ( i bet you have ) ;-) 
 libnss-winbind
 libpam-winbind

dpkg -l |grep winbind

There other needed will be pulled in with apt. 
So, since i know you config. 

Its all back to original settings.. 
Run : pam-auth-update 
Save, done. 

# SSH
Edit :  /etc/ssh/sshd_config 
# GSSAPI options
# minimal needed.
GSSAPIAuthentication yes

# And i use. 
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes	
GSSAPIStoreCredentialsOnRekey yes 
# man sshd_config shows what the options do. 


# optional, add this part. 
# Allow groups ( samba/windows groepen )
AllowGroups servers-ssh sshgroup

# servers-ssh, is a group in AD, with GID. (
# This allowed the windows members to login with ssh.
# sshgroup, this is a Linux group, only have 2-3 users that are allowed to login,
# and have sudo rights, to be able to maintain the server if the windows part is down. 

# IF you restricted the users homedirs so no admin/root can enter
# In /etc/krb5.conf add in libdefaults.
    ignore_k5login = true  ; allows/ignores the check on .k5_login in the homedir. 


Last, how are you handeling remove homedirs, CIFS? NFS? 
Or are these locally re-created? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert Wooden via samba
> Verzonden: vrijdag 11 september 2020 5:47
> Aan: SAMBA MailList
> Onderwerp: [Samba] entering password twice
> 
> I might be asking this question the incorrect group but, here goes.
> 
> I have successfully added a Debian 10 member (workstation) 
> and made the
> /etc/pam.d files adjustments per the Debianwiki page
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
>  and Debian
> is allowing me to login with AD users and passwords except 
> for one thing. I
> have to enter the password twice to login.
> 
> Here are the changed pam_mount files (the red font are the 
> added lines):
> 
> root at lws2:~# cat /etc/pam.d/common-account
> #
>      SNIPPED FOR BREVITY
> # pam-auth-update(8) for details.
> #
> 
> # here are the per-package modules (the "Primary" block)
> account [success=2 new_authtok_reqd=done default=ignore]      
>   pam_unix.so
> account [success=1 new_authtok_reqd=done default=ignore]
>  pam_winbind.so
> # here's the fallback if no module succeeds
> account requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't 
> one already;
> # this avoids us returning an error just because nothing sets 
> a success code
> # since the modules above will each just jump around
> account required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
> account sufficient      pam_winbind.so
> account required        pam_unix.so
> 
> root at lws2:~# cat /etc/pam.d/common-auth
> #
>      SNIPPED FOR BREVITY
> #
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
> 
> # here are the per-package modules (the "Primary" block)
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> # here's the fallback if no module succeeds
> auth    requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't 
> one already;
> # this avoids us returning an error just because nothing sets 
> a success code
> # since the modules above will each just jump around
> auth    required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
> auth sufficient pam_winbind.so
> auth sufficient pam_unix.so nullok_secure use_first_pass
> auth required   pam_deny.so
> 
> root at lws2:~# cat /etc/pam.d/common-session
> #
>      SNIPPED FOR BREVITY
> #
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
> 
> # here are the per-package modules (the "Primary" block)
> session [default=1]                     pam_permit.so
> # here's the fallback if no module succeeds
> session requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't 
> one already;
> # this avoids us returning an error just because nothing sets 
> a success code
> # since the modules above will each just jump around
> session required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> session required        pam_unix.so
> session optional                        pam_winbind.so
> session optional        pam_systemd.so
> session optional                        pam_mkhomedir.so
> # end of pam-auth-update config
> session required pam_unix.so
> session required pam_mkhomedir.so umask=0022 skel=/etc/skel
> 
> root at lws2:~# cat /etc/pam.d/sudo
> #%PAM-1.0
> #
> Auth sufficient pam_winbind.so
> Auth sufficient pam_unix.so use_first_pass
> Auth required    pam_deny.so
> 
> @include common-auth
> @include common-account
> @include common-session-noninteractive
> 
> The Debian wiki was very brief but, is based on
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto 
> however, the
> Ubuntu wiki referenced some older versions of Ubuntu.
> 
> So I made the additions to the end of each file with the 
> exception of the
> /etc/pam.d/sudo file, those additions went in front of the 
> line "@include
> common-auth".
> 
> I'm wondering if the simple question, *why am I having to enter the
> password twice?* can be answered here or do I need to head 
> over the Debian
> forum?
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list