[Samba] authentication issue moving from Samba 4.11.x to 4.13.14

Patrick Goetz pgoetz at math.utexas.edu
Tue Mar 22 16:24:34 UTC 2022 


On 3/21/22 21:52, Gaiseric Vandal via samba wrote:
> 
> On 3/21/2022 3:19 PM, Rowland Penny via samba wrote:
>> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba wrote:
>>> On 3/21/22 13:38, Rowland Penny via samba wrote:
>>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba wrote:
>>>>> LDAP is used for user and group lookups at the Unix/Linux level.
>>>>> This
>>>>> includes nfs and ssh.  The authentication itself is typically
>>>>> kerberos.   Presumably if nsswitch.conf pointed to winbind but
>>>>> not
>>>>> ldap
>>>>> it everything would continue to work.
>>>> Got to ask this, why are you using ldap for Unix user & group
>>>> lookups ?
>>>> I presume that the ldap lookups are searching for RFC2307
>>>> attributes,
>>>> if so, ldap is a bit redundant, your 'ad' backend will use the same
>>>> IDs
>>>>
>>>> While there a numerous superfluous lines in your smb.conf, it is
>>>> basically sound.
>>>>
>>>> Rowland
>>>>
>>>>
>>> A lot of the engineering/scientific software we use runs on Linux.
>>> A
>>> lot of the software development we do is also on Linux, so the focus
>>> of
>>> services on Solaris machines was to support Linux clients first, and
>>> Windows clients 2nd.    I am fairly confident that if I configure
>>> /etc/nsswitch.conf to use winbind (not ldap) network users and
>>> groups
>>> that ssh login would still work.
>> I am absolutely positive it will work, it is how I run Samba on Linux.
>>
>>>    but I don't know about NFS (which is
>>> dependent on kerberos security.)
>> This should also work, I do not use NFS, but kerberos works well on
>> Linux, not sure about Solaris. If this was Debian, I would advise
>> installing the libnss-winbind, libpam-winbind and libpam-krb5 packages,
>> does Solaris have similar packages ?
>>
>> Rowland
>>
>>
> With /etc/nsswitch.conf set to use
> 
> 
>      passwd: files winbind
>      group:  files winbind
> 
> 
> Ssh logins fail, and the log shows the following
> 
> 
>         Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error]
>         error: PAM: Authentication failed for myname from 192.x.x.x
> 
>         Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error]
>         PAM-KRB5 (setcred): pam_setcred failed for myname (Failure
>         setting user credentials).
> 
>         Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error]
>         error: PAM: User account has expired for myname from 192.x.x.x
> 
>         Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error]
>         error: PAM: User account has expired for myname from 192.x.x.x
> 
> 

For ssh to authenticate against AD, you will need to have 
/etc/pam.d/sssd configured to use pam_winbind.so.

On Ubuntu/Debian systems this is squirreled away in 
/etc/pam.d/common-auth so you don't see it.

I haven't used Solaris in modern times, but since Sun invented PAM, I'm 
guessing Solaris is also configured to use PAM.


> 
> You will notice that solaris 11 does not have a separate shadow entry in 
> /etc/nsswitch.conf  (the shadow functionality is handled by the password 
> entry.)
> 
> 
> With LDAP, I get
> 
> 
>     # getent shadow myname
> 
>     myname:*NP*:::::::
> 
> 
> But with winbind, "getent shadow myname" does show anything.
> 
> 
> 
> I don't have samba running as a domain member on any linux servers yet.
>

More information about the samba mailing list