[Samba] authentication issue moving from Samba 4.11.x to 4.13.14

Tue Mar 22 02:52:25 UTC 2022

On 3/21/2022 3:19 PM, Rowland Penny via samba wrote:
> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba wrote:
>> On 3/21/22 13:38, Rowland Penny via samba wrote:
>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba wrote:
>>>> LDAP is used for user and group lookups at the Unix/Linux level.
>>>> This
>>>> includes nfs and ssh.  The authentication itself is typically
>>>> kerberos.   Presumably if nsswitch.conf pointed to winbind but
>>>> not
>>>> ldap
>>>> it everything would continue to work.
>>> Got to ask this, why are you using ldap for Unix user & group
>>> lookups ?
>>> I presume that the ldap lookups are searching for RFC2307
>>> attributes,
>>> if so, ldap is a bit redundant, your 'ad' backend will use the same
>>> IDs
>>>
>>> While there a numerous superfluous lines in your smb.conf, it is
>>> basically sound.
>>>
>>> Rowland
>>>
>>>
>> A lot of the engineering/scientific software we use runs on Linux.
>> A
>> lot of the software development we do is also on Linux, so the focus
>> of
>> services on Solaris machines was to support Linux clients first, and
>> Windows clients 2nd.    I am fairly confident that if I configure
>> /etc/nsswitch.conf to use winbind (not ldap) network users and
>> groups
>> that ssh login would still work.
> I am absolutely positive it will work, it is how I run Samba on Linux.
>
>>    but I don't know about NFS (which is
>> dependent on kerberos security.)
> This should also work, I do not use NFS, but kerberos works well on
> Linux, not sure about Solaris. If this was Debian, I would advise
> installing the libnss-winbind, libpam-winbind and libpam-krb5 packages,
> does Solaris have similar packages ?
>
> Rowland
>
>
With /etc/nsswitch.conf set to use

     passwd: files winbind
     group:  files winbind

Ssh logins fail, and the log shows the following

        Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error]
        error: PAM: Authentication failed for myname from 192.x.x.x

        Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error]
        PAM-KRB5 (setcred): pam_setcred failed for myname (Failure
        setting user credentials).

        Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error]
        error: PAM: User account has expired for myname from 192.x.x.x

        Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error]
        error: PAM: User account has expired for myname from 192.x.x.x

You will notice that solaris 11 does not have a separate shadow entry in 
/etc/nsswitch.conf  (the shadow functionality is handled by the password 
entry.)

With LDAP, I get

    # getent shadow myname

    myname:*NP*:::::::

But with winbind, "getent shadow myname" does show anything.

I don't have samba running as a domain member on any linux servers yet.