[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
Rowland Penny
rpenny at samba.org
Tue Mar 22 16:34:48 UTC 2022
On Tue, 2022-03-22 at 11:24 -0500, Patrick Goetz via samba wrote:
>
> On 3/21/22 21:52, Gaiseric Vandal via samba wrote:
> > On 3/21/2022 3:19 PM, Rowland Penny via samba wrote:
> > > On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba
> > > wrote:
> > > > On 3/21/22 13:38, Rowland Penny via samba wrote:
> > > > > On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba
> > > > > wrote:
> > > > > > LDAP is used for user and group lookups at the Unix/Linux
> > > > > > level.
> > > > > > This
> > > > > > includes nfs and ssh. The authentication itself is
> > > > > > typically
> > > > > > kerberos. Presumably if nsswitch.conf pointed to winbind
> > > > > > but
> > > > > > not
> > > > > > ldap
> > > > > > it everything would continue to work.
> > > > > Got to ask this, why are you using ldap for Unix user & group
> > > > > lookups ?
> > > > > I presume that the ldap lookups are searching for RFC2307
> > > > > attributes,
> > > > > if so, ldap is a bit redundant, your 'ad' backend will use
> > > > > the same
> > > > > IDs
> > > > >
> > > > > While there a numerous superfluous lines in your smb.conf, it
> > > > > is
> > > > > basically sound.
> > > > >
> > > > > Rowland
> > > > >
> > > > >
> > > > A lot of the engineering/scientific software we use runs on
> > > > Linux.
> > > > A
> > > > lot of the software development we do is also on Linux, so the
> > > > focus
> > > > of
> > > > services on Solaris machines was to support Linux clients
> > > > first, and
> > > > Windows clients 2nd. I am fairly confident that if I
> > > > configure
> > > > /etc/nsswitch.conf to use winbind (not ldap) network users and
> > > > groups
> > > > that ssh login would still work.
> > > I am absolutely positive it will work, it is how I run Samba on
> > > Linux.
> > >
> > > > but I don't know about NFS (which is
> > > > dependent on kerberos security.)
> > > This should also work, I do not use NFS, but kerberos works well
> > > on
> > > Linux, not sure about Solaris. If this was Debian, I would advise
> > > installing the libnss-winbind, libpam-winbind and libpam-krb5
> > > packages,
> > > does Solaris have similar packages ?
> > >
> > > Rowland
> > >
> > >
> > With /etc/nsswitch.conf set to use
> >
> >
> > passwd: files winbind
> > group: files winbind
> >
> >
> > Ssh logins fail, and the log shows the following
> >
> >
> > Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error]
> > error: PAM: Authentication failed for myname from 192.x.x.x
> >
> > Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error]
> > PAM-KRB5 (setcred): pam_setcred failed for myname (Failure
> > setting user credentials).
> >
> > Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error]
> > error: PAM: User account has expired for myname from
> > 192.x.x.x
> >
> > Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error]
> > error: PAM: User account has expired for myname from
> > 192.x.x.x
> >
> >
>
> For ssh to authenticate against AD, you will need to have
> /etc/pam.d/sssd configured to use pam_winbind.so.
No you don't, I do not use sssd anywhere and I can ssh into any of my
Linux machines.
/var/log/auth.log
Mar 22 16:32:09 rpidc2 sshd[31208]: Authorized to rowland, krb5
principal rowland at SAMDOM.EXAMPLE.COM (krb5_kuserok)
Mar 22 16:32:09 rpidc2 sshd[31208]: Accepted gssapi-with-mic for
rowland from 192.168.0.49 port 45704 ssh2: rowland at SAMDOM.EXAMPLE.COM
Mar 22 16:32:10 rpidc2 sshd[31208]: pam_unix(sshd:session): session
opened for user rowland by (uid=0)
Mar 22 16:32:10 rpidc2 systemd-logind[404]: New session 1190 of user
SAMDOM\rowland.
Mar 22 16:32:10 rpidc2 systemd: pam_unix(systemd-user:session): session
opened for user SAMDOM\rowland by (uid=0)
>
More information about the samba
mailing list