[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
Patrick Goetz
pgoetz at math.utexas.edu
Tue Mar 22 16:58:37 UTC 2022
On 3/22/22 11:34, Rowland Penny via samba wrote:
> On Tue, 2022-03-22 at 11:24 -0500, Patrick Goetz via samba wrote:
>>
>> On 3/21/22 21:52, Gaiseric Vandal via samba wrote:
>>> On 3/21/2022 3:19 PM, Rowland Penny via samba wrote:
>>>> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba
>>>> wrote:
>>>>> On 3/21/22 13:38, Rowland Penny via samba wrote:
>>>>>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba
>>>>>> wrote:
>>>>>>> LDAP is used for user and group lookups at the Unix/Linux
>>>>>>> level.
>>>>>>> This
>>>>>>> includes nfs and ssh. The authentication itself is
>>>>>>> typically
>>>>>>> kerberos. Presumably if nsswitch.conf pointed to winbind
>>>>>>> but
>>>>>>> not
>>>>>>> ldap
>>>>>>> it everything would continue to work.
>>>>>> Got to ask this, why are you using ldap for Unix user & group
>>>>>> lookups ?
>>>>>> I presume that the ldap lookups are searching for RFC2307
>>>>>> attributes,
>>>>>> if so, ldap is a bit redundant, your 'ad' backend will use
>>>>>> the same
>>>>>> IDs
>>>>>>
>>>>>> While there a numerous superfluous lines in your smb.conf, it
>>>>>> is
>>>>>> basically sound.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> A lot of the engineering/scientific software we use runs on
>>>>> Linux.
>>>>> A
>>>>> lot of the software development we do is also on Linux, so the
>>>>> focus
>>>>> of
>>>>> services on Solaris machines was to support Linux clients
>>>>> first, and
>>>>> Windows clients 2nd. I am fairly confident that if I
>>>>> configure
>>>>> /etc/nsswitch.conf to use winbind (not ldap) network users and
>>>>> groups
>>>>> that ssh login would still work.
>>>> I am absolutely positive it will work, it is how I run Samba on
>>>> Linux.
>>>>
>>>>> but I don't know about NFS (which is
>>>>> dependent on kerberos security.)
>>>> This should also work, I do not use NFS, but kerberos works well
>>>> on
>>>> Linux, not sure about Solaris. If this was Debian, I would advise
>>>> installing the libnss-winbind, libpam-winbind and libpam-krb5
>>>> packages,
>>>> does Solaris have similar packages ?
>>>>
>>>> Rowland
>>>>
>>>>
>>> With /etc/nsswitch.conf set to use
>>>
>>>
>>> passwd: files winbind
>>> group: files winbind
>>>
>>>
>>> Ssh logins fail, and the log shows the following
>>>
>>>
>>> Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error]
>>> error: PAM: Authentication failed for myname from 192.x.x.x
>>>
>>> Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error]
>>> PAM-KRB5 (setcred): pam_setcred failed for myname (Failure
>>> setting user credentials).
>>>
>>> Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error]
>>> error: PAM: User account has expired for myname from
>>> 192.x.x.x
>>>
>>> Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error]
>>> error: PAM: User account has expired for myname from
>>> 192.x.x.x
>>>
>>>
>>
>> For ssh to authenticate against AD, you will need to have
>> /etc/pam.d/sssd configured to use pam_winbind.so.
>
> No you don't, I do not use sssd anywhere and I can ssh into any of my
> Linux machines.
>
Um, that was a typo: I meant to say /etc/pam.d/sshd
The reference to pam_winbind.so should have given this away.
> /var/log/auth.log
>
> Mar 22 16:32:09 rpidc2 sshd[31208]: Authorized to rowland, krb5
> principal rowland at SAMDOM.EXAMPLE.COM (krb5_kuserok)
> Mar 22 16:32:09 rpidc2 sshd[31208]: Accepted gssapi-with-mic for
> rowland from 192.168.0.49 port 45704 ssh2: rowland at SAMDOM.EXAMPLE.COM
> Mar 22 16:32:10 rpidc2 sshd[31208]: pam_unix(sshd:session): session
> opened for user rowland by (uid=0)
> Mar 22 16:32:10 rpidc2 systemd-logind[404]: New session 1190 of user
> SAMDOM\rowland.
> Mar 22 16:32:10 rpidc2 systemd: pam_unix(systemd-user:session): session
> opened for user SAMDOM\rowland by (uid=0)
>>
>
>
More information about the samba
mailing list