[Samba] Debian client/workstation pam_mount

Robert Wooden wdn2420systm at gmail.com
Sat Sep 26 12:40:15 UTC 2020 

Without trying your suggestions, I know that a domain user cannot login via
ssh.

Neither of these work:

> [bob at dn-pc ~]$ ssh tuser16 at 192.168.16.220
> tuser16 at 192.168.16.220's password:
> Permission denied, please try again.
> tuser16 at 192.168.16.220's password:
> Permission denied, please try again.
> tuser16 at 192.168.16.220's password:
> tuser16 at 192.168.16.220: Permission denied
> (publickey,gssapi-keyex,gssapi-with-mic,password).
> [bob at dn-pc ~]$ ssh SAMDOM/tuser16 at 192.168.16.220
> SAMDOM/tuser16 at 192.168.16.220's password:
> Permission denied, please try again.
> SAMDOM/tuser16 at 192.168.16.220's password:
> Permission denied, please try again.
> SAMDOM/tuser16 at 192.168.16.220's password:
> SAMDOM/tuser16 at 192.168.16.220: Permission denied
> (publickey,gssapi-keyex,gssapi-with-mic,password).
>

 Here is my sshd_config file:

> root at lws4:~# cat /etc/ssh/sshd_config
> # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options override the
> # default value.
>
> #Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
>
> # Ciphers and keying
> #RekeyLimit default none
>
> # Logging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #PubkeyAuthentication yes
>
> # Expect .ssh/authorized_keys2 to be disregarded by default in future.
> #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
>
> #AuthorizedPrincipalsFile none
>
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> GSSAPIStrictAcceptorCheck yes
> GSSAPIKeyExchange yes
> GSSAPIStoreCredentialsOnRekey yes
>
> # Allow groups ( samba/windows groepen )
> AllowGroups servers-ssh sshgroup
>
>
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication.  Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PermitTTY yes
> PrintMotd no
> #PrintLastLog yes
> #TCPKeepAlive yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS no
> #PidFile /var/run/sshd.pid
> #MaxStartups 10:30:100
> #PermitTunnel no
> #ChrootDirectory none
> #VersionAddendum none
>
> # no default banner path
> #Banner none
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> # override default of no subsystems
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # PermitTTY no
> # ForceCommand cvs server
>

 I have to assume at this point that if I cannot login with a domain user
via ssh we need to solve that first?

(I hate to assume anything, but . . . .)

On Sat, Sep 26, 2020 at 7:22 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 26/09/2020 12:47, Robert Wooden via samba wrote:
> > Maybe I am not testing the signin correctly. Here is what I am doing. I
> > sign into the client/workstation (hereafter referred to as C/W) via ssh
> as
> > the local "admin" from another C/W so I can open many terminals to tail
> log
> > files. Then "sudo -i" into "root". All testing is run as "root". When I
> > sign into "root", I see this:
> >
> OK, try this in /etc/security/pam_mount.conf.xml:
>
> <volume fstype="cifs"
>          server="mbr04.subdom.example.com"
>          path="public"
>          mountpoint="/home/test2/dtshare"
> options="username=%(USER),uid=%(USERUID),gid=%(USERGID),domain=DOMAIN_NAME"
>
>  >
> </volume>
>
> Two things:
>
> Replace 'DOMAIN_NAME' with your workgroup name
>
> 'path' isn't really a good name for the attribute, a better name would
> have been 'sharename', it isn't a path!. You have '/public', so if you
> are trying to mount a share called 'public' from
> 'mbr04.subdom.example.com' then you do not need the leading forward
> slash, if the share that you want to mount isn't called 'public', then
> replace it with the share name that you want to mount.
>
> Open two terminals, log into one as a user that can use sudo (or as
> root) and tail syslog, then try to ssh in as a domain user. If
> everything is correct, the share should get mounted and you should see
> this in the log on the first terminal, provided everything else is
> correct and the user is known to the OS.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list