?icro MEGAS
2014-Oct-20 22:24 UTC
[Samba] Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux hosts
Hi, For several linux server on our network we want to allow the AD domain group called "MYDOM\Domain Admins" to login through ssh with their AD credentials. Our DC1 and DC2 are running on Debian 64bit using Samba 4.1.12/Sernet. I'm kinda confused, what exactly I need therefore. Do I need to setup a PAM_authentication as explained on that tutorial here? (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication) I tried that. I didn't create the symlink as shown on the tutorial (ln -s /usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I realized that I have a file called "root at membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong). Then I tried to modify the "/etc/pam.d/sshd" according the tutorial, that's how my "/etc/pam.d/sshd" looked like afterwards: ============================================================================# PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale auth sufficient pam_winbind.so use_first_pass #
?icro MEGAS
2014-Oct-20 23:08 UTC
[Samba] Fwd: Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux
Hi, For several linux server on our network we want to allow the AD domain group called "MYDOM\Domain Admins" to login through ssh with their AD credentials. Our DC1 and DC2 are running on Debian 64bit using Samba 4.1.12/Sernet. I'm kinda confused, what exactly I need therefore. Do I need to setup a PAM_authentication as explained on that tutorial here? (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication) I tried that. I didn't create the symlink as shown on the tutorial (ln -s /usr/local/samba/lib/security/pam_winbind.so /lib64/security/), because I realized that I have a file called "root at membersrv1:/lib/x86_64-linux-gnu/security/pam_winbind.so" which I think comes from the Sernet Samba 4.1.12 package (please correct me if I'm wrong). Then I tried to modify the "/etc/pam.d/sshd" according the tutorial, that's how my "/etc/pam.d/sshd" looked like afterwards: ============================================================================# PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale auth sufficient pam_winbind.so use_first_pass # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password password sufficient pam_winbind.so use_authtok ============================================================================ As you see, I have just inserted the particular three lines. Then I did "service sernet-samba-winbindd restart && service ssh restart" on that member server, and I also modified "/etc/ssh/sshd_config" and uncommented the line "PasswordAuthentication yes" to be sure I am not missing anything. Then I restarted ssh daemon, too. Unfortunately I cannot login through ssh onto that member server, although I provide the correct credentials for the user. I tried following combinations as login: username=testuser1, password=test1test1 username=MYDOM\testuser1, password=test1test1 username=MYDOM\\testuser1,password=test1test1 I am sure that the password is correct. In my thoughts the file I did modify is not the correct filename or maybe I used a wrong order in the lines. Because my /etc/pam.d/sshd looks quite different than that provided in the wiki. In the following I modified "/etc/pam.d/sshd" again to make the changes back. I commented the three lines, so they are not active any more because I think that was the wrong way for my Debian Wheezy 64bit GNU/Linux distribution. Instead, some other files draw my attention ... I edited "/etc/pam.d/common-account" and added at the end of the file the desired line like this: [...] # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config account [default=bad success=ok user_unknown=ignore] pam_winbind.so Then I edited "/etc/pam.d/common-auth" and added at the end the corresponding line like this: [...] # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config auth sufficient pam_winbind.so use_first_pass Then I edited "/etc/pam.d/common-password" and added at the end the corresponding line like this: [...] password sufficient pam_winbind.so use_authtok I restarted "sernet-samba-winbindd" and "ssh" daemon but I still cannot login through SSH with "testuser1" credentials. the file "/var/log/auth.log" outputs following errors, while I try to login through ssh with that testuser1: Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): getting password (0x00000010) Oct 21 01:04:59 membersrv1 sshd[2915]: pam_winbind(sshd:auth): Could not retrieve user's password Oct 21 01:04:59 membersrv1 sshd[2915]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.123 user=testuser1 Oct 21 01:05:01 membersrv1 sshd[2915]: Failed password for testuser1 from 192.168.0.123 port 18337 ssh2 Oct 21 01:05:12 membersrv1 sshd[2915]: Connection closed by 192.168.0.123 [preauth] I want o add, that I can "su - testuser1" correctly on that member server, the user "testuser1" has a valid login shell and the "su - testuser1" login worked fine. Also "testuser1" is correctly shown by winbind on that memberserver, see output below: ==========================================================================# getent passwd testuser1 testuser1:*:10003:10000:Test User 1:/home/MYDOM/testuser1:/bin/bash # id testuser1 uid=10003(testuser1) gid=10000(domain users) groups=10000(domain users),70002(BUILTIN\users) # klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) # kinit testuser1 at MYDOM.EXAMPLE.COM Password for testuser1 at MYDOM.EXAMPLE.COM: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testuser1 at MYDOM.EXAMPLE.COM Valid starting Expires Service principal 21.10.2014 00:18:58 21.10.2014 10:18:58 krbtgt/MYDOM.EXAMPLE.COM at MYDOM.EXAMPLE.COM renew until 22.10.2014 00:18:56 ========================================================================== So I am sure that the password supplied for testuser1 was correct, because "kinit" did succeed as you can see. Now I am stuck here and I am quite unsure if that's even the correct way? I did also find that tutorial here (https://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH) which is explaining a completely other way. What exactly do I need? PAM_WINBIND authentication or Kerberos, or maybe even both ? Someone else told me also that I should use sssd for that, but I don't think I want to completely build a new configuration for my member server, because my member server was configured with ad backend according the tutorial (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). Please, any help appreciated. Thanks a lot in advance. Mirco
Apparently Analagous Threads
- Samba4: "MYDOM\Administrator" quite useless on a member server?
- winbind/idmap issue on samba4 member server
- Samba4: Setting up share/security permissions for shares on member server
- 3rd-party tool for creating users as alternative to ADUC
- account locks not working ssh/winbind?