samba - Jul 2006 - SSH and winbind authentication on Solaris 10

I've googled my heart out, but I cannot see an example of ssh authentication
with Active Directory and winbindd, particularly on Solaris 10. I have it
working on Solaris 8 with telnet, but I'm trying to break my users of
telnet.

Has anyone got it working? If so, would you be willing to share the global
section of your smb.conf and pam.conf with me?  Is there something I need to
put in one of the ssh configuration files?

Celeste Suliin Burris
Systems Administrator
Community and Economic Development Department
Phone - 253-591-5093
Email - csburris@ci.tacoma.wa.us
URL   - http://www.cityofdestiny.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Burris, Celeste Suliin wrote:
> I've googled my heart out, but I cannot see an example 
> of ssh authentication with Active Directory and winbindd,
> particularly on Solaris 10. I have it working on Solaris
> 8 with telnet, but I'm trying to break my users of
> telnet.
There's not much to it besides adding pam_winbind.so to
your pam file and make sure to set 'template shell'
to a valid shell on your system.  The default in
/bin/false.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      -->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC
I+bI7ZzC2qgouEYNnAoLlSE=mupj
-----END PGP SIGNATURE-----

here they are:
krb5.conf

[libdefaults]
   default_realm = ADS.SK

   [realms]
   ADS.UNIT.SK = {
        kdc = windows.ads.unit.sk
   }
[domain_realms]
        .kerberos.server = WINDOWS.ADS.SK

smb.conf

[global]

#host settings
        netbios name = SOLARIS
        server string = Test Server for join to ADS
        workgroup = ADS
        os level = 20
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
#winbind conofiguration
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind gid = 10000-20000
        winbind cache time = 20
        winbind separator = +
#server
        socket address = ip
        password server = ip
        preferred master = no
        realm = ADS.SK
        security = ADS
        encrypt passwords = yes
        dns proxy = no
#logging
        max log size = 50
        log level = 1
        log file = /var/samba/log/log.%m
        template homedir = /export/home/%D.%U
        template shell = /bin/bash

pam.conf
login   auth sufficient         pam_winbind.so.1
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth sufficient         pam_winbind.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_winbind.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
#other  session optional        pam_mkhomedir.so skel=/etc/skel umask=0022
other   session required        pam_unix_session.so.1
#other  session sufficient      pam_winbind.so


Any commnets, suggestions are welcome.
root and AD users are able to login by ssh, telnet, dtlogin ..
I have only 2 problems:
1. if root logs in pam gives me(but root can log in):
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 744057 auth.error] request 
failed: Logon failure, PAM error was Authentication failed (9), NT error 
was NT_STATUS_LOGON_FAILURE
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 912734 auth.error] request 
failed, but PAM error 0!
Jul 21 09:55:30 solaris pam_winbind[885]: [ID 799888 auth.error] 
internal module error (retval = 3, user = `root')
Can you give me some suggestions how to avoid this ?
2. I cannot use pam_mkhomedir, if pam_mk_homedir is commented out users 
cannot log in, because the sun box drops the ssh connetions.
Do you see guys some misconfiguration here ?
Thanks
Stefan





Burris, Celeste Suliin wrote:
> I've googled my heart out, but I cannot see an example of ssh
authentication
> with Active Directory and winbindd, particularly on Solaris 10. I have it
> working on Solaris 8 with telnet, but I'm trying to break my users of
> telnet.
>
> Has anyone got it working? If so, would you be willing to share the global
> section of your smb.conf and pam.conf with me?  Is there something I need
to
> put in one of the ssh configuration files?
>
> Celeste Suliin Burris
> Systems Administrator
> Community and Economic Development Department
> Phone - 253-591-5093
> Email - csburris@ci.tacoma.wa.us
> URL   - http://www.cityofdestiny.com
>
>
>   

-- 
+----------------------------------------------+
| Stefan Varga               TEMPEST a.s.      |
| Systems Engineer           IT Services       |
| +421908 760617             Plynarenska 7/B   |
| Stefan_Varga@tempest.sk    Bratislava        |
| Sun Microsystems Enterprise system provider  |
+----------------------------------------------+