Kaplan, Andrew H.
2016-Jun-10 16:49 UTC
[Samba] Problem with Active Directory authentication
Hello -- I removed the ldap and sssd packages from the server, and I am trying to get winbind to work on the system. The configuration of the /etc/samba/smb.conf file's global section is the following: [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of security = ads realm = <domain name> workgroup = <domain> idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth =yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 While that of the /etc/nsswitch.conf file reads as follows: passwd: compat winbind group: compat winbind shadow: compat hosts: files dns ... The /etc/krb5.conf file has the domain name in capital letters for the default_realm entry in capital letters. I was able to join the server with the domain. When I ran the getent <username>@<DOMAINNAME> command, the output was the following: <DOMAINNAME>\<username>:*:10000:10005:<lastname>, <firstname>.:/home/<DOMAIN>/<username>:/bin/false I attempted to log into the system via ssh using the following command syntax: ssh -l <username>@<DOMAINNAME> <server fqdn> The connection was made, but it was immediately closed. I am guessing the /bin/false shell could be what is causing the problem. The auth.log file also had the following entries: Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): getting password (0x00000388) Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): pam_get_item returned a password Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user '<DOMAINNAME>\<username>' granted access Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for <username>@<DOMAINNAME> from <ip address> port 54879 ssh2 Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session opened for user <DOMAINNAME>\<username> by (uid=0) Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): Failed to create session: No such file or directory Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: umask Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: 0022 Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip address>: disconnected by user Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session closed for user <DOMAINNAME>\<username> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): user '<DOMAINNAME>\<username>' OK The pam-auth-update command indicated the following were enabled: Unix authentication Winbind NT/Active Directory authentication Register user sessions in the systemd control group hierarchy Inheritable Capabilities Management ________________________________ From: Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com] Sent: Friday, June 10, 2016 10:45 AM To: Kaplan, Andrew H.; samba at lists.samba.org Cc: Rowland penny Subject: Re: [Samba] Problem with Active Directory authentication Hi, I have a feeling that Rowland is correct that all the different authentication methods are interfering with one another. I can say all I have is winbind and it works fine for me. My relevant pam-auth-update modules are: [*] Unix authentication [*] Winbind NT/Active Directory authentication [*] Register user sessions in the systemd control group hierarchy [*] Create home directory on login My relevant excerpt from /etc/nsswitch.conf is: passwd: compat winbind group: compat winbind If your smb.conf file includes the "template shell = /bin/bash" as you indicated earlier, but your getent password is returning /bin/PHSshell instead, I think the information is being returned by a service other than winbind. Depending on how pam is configured, generally the order listed when you run pam-auth-update will be the order in which the services are tried. So the first one listed there is probably the one returning the info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and server) doesn't like the username in the format <username>@<domainname> and this isn't the format that winbind would return the information, at least not by default. For me getent passwd <username>@<domainname> would return the user as <domainname>\<username>. I would try running pam-auth-update and disabling the LDAP and SSSD authentication methods and see if getent passwd returns different info. Your first post looked to me like the authentication was succeeding, but then the shell was wrong and so you were immediately logged out. Like you mentioned in a previous post, the /bin/PHSshell is probably one the issue because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash would fix this, but more than likely, it is a configuration issue that is returning the wrong shell in the first place. Is PHS your netbios domain name? If it is, it's probably the LDAP or SSSD configuration that is retuning the shell using a substitution that isn't set up correctly. Good luck, Mike E. On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <rpenny at samba.org<mailto:rpenny at samba.org>> wrote: On 10/06/16 13:46, Kaplan, Andrew H. wrote:> Hello -- > > The winbind packages that are installed on the server are the following: > > Package Description > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers > > Similarly, the ldap PAM packages are as follows: > > Package Description > ldap-auth-client 0.5.3 all meta-package for LDAP authentication > ldap-auth-config 0.5.3 all Config package for LDAP authentication > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries > libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service > libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP > sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end > > Finally, the sssd packages are the following: > > Package Description > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD > sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage > sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end > sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder > sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files > sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end > sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end > sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers > sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end > sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end > sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools > > Will removing all packages for the first two groups solve this problem? > > From: samba [samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>] on behalf of Rowland penny [rpenny at samba.org<mailto:rpenny at samba.org>] > Sent: Friday, June 10, 2016 8:29 AM > To: samba at lists.samba.org<mailto:samba at lists.samba.org> > Subject: Re: [Samba] Problem with Active Directory authentication > > On 10/06/16 12:47, Kaplan, Andrew H. wrote: >> Hello -- >> >> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference. >> >> Also, I checked the auth.log file on the server, and the following entries were present: >> >> I checked the auth.log file, and the following entries were present: >> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server... >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2 >> >> >> ________________________________________ >> From: Sumit Bose [sbose at redhat.com<mailto:sbose at redhat.com>] >> Sent: Friday, June 10, 2016 4:44 AM >> To: Kaplan, Andrew H. >> Cc: samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>; samba at lists.samba.org<mailto:samba at lists.samba.org> >> Subject: Re: Problem with Active Directory authentication >> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote: >>> Hello -- >>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure: >>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/> >>> >>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries: >>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html >> The sssd-users list >> https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/ >> might be more appropriate for your question. >> >> As a general comment, the PAM configuration is important here. Please >> check the system logs which PAM module was consulted during the login >> attempt and which cause the rejection. >> >> HTH >> >> bye, >> Sumit >> >>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following: >>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name> >>> >>> The output that was generated is the following: >>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 >>> debug1: Reading configuration data /etc/ssh/ssh_config >>> debug1: /etc/ssh/ssh_config line 19: Applying options for * >>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22. >>> debug1: Connection established. >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1 >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1 >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1 >>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH* >>> debug1: Enabling compatibility mode for protocol 2.0 >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug1: kex: server->client aes128-ctr hmac-md5 none >>> debug1: kex: client->server aes128-ctr hmac-md5 none >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17 >>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key. >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29 >>> debug1: ssh_ecdsa_verify: signature correct >>> debug1: SSH2_MSG_NEWKEYS sent >>> debug1: expecting SSH2_MSG_NEWKEYS >>> debug1: SSH2_MSG_NEWKEYS received >>> debug1: Roaming not allowed by server >>> debug1: SSH2_MSG_SERVICE_REQUEST sent >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug1: Authentications that can continue: publickey,password >>> debug1: Next authentication method: publickey >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa >>> debug1: Next authentication method: password >>> <username>@<domainname>@<fully qualified domain name>'s password: >>> Connection closed by <ip address> >>> >>> Does anyone have thoughts on this? >>> >>> Thanks. >>> >>> >>> The information in this e-mail is intended only for the person to whom it is >>> addressed. If you believe this e-mail was sent to you in error and the e-mail >>> contains patient information, please contact the Partners Compliance HelpLine at >>> http://www.partners.org/complianceline . If the e-mail was sent to you in error >>> but does not contain patient information, please contact the sender and properly >>> dispose of the e-mail. > As Sumit has said, this should be on the sssd mailing list. > From your log fragment, it looks like you have the winbind and ldap PAM > packages installed, you do not need them. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI am not entirely sure, what I can say is that you are using three different methods of authentication, winbindd, ldap and sssd, surely you don't need all three ? If you decide to use sssd, then ask on their mailing list what sssd packages you need and what you should remove. If you decide to use LDAP, then this probably entails using nslcd, find their mailing list and ask them. If you decide to use winbindd (the Samba recommended way), then this is the place to ask and I would suggest you have a look here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-Jun-10 17:40 UTC
[Samba] Problem with Active Directory authentication
Hi, What version of Samba are you running (samba --version)? Some of the smb.conf parameters have changed in more recent versions. I'm running the standard version supplied with Ubuntu which is currently 4.3.9. My configuration on member servers is as follows: [global] # Base options workgroup = <NETBIOS DOMAIN> realm = <AD DOMAIN> netbios name = <THIS MACHINE'S NETBIOS NAME> security = ADS # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 3000000-3999999 idmap config for domain <NETBIOS DOMAIN> idmap config <NETBIOS DOMAIN>:backend = ad idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307 idmap config <NETBIOS DOMAIN>:range = 10000-20000 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind offline logon = yes # Log options log level = 1 I think it looks like you're real issue now is the /bin/false shell, which is the default if it isn't specifically set. The newer way to set the shell is using rfc2307 attributes. See https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC. With a configuration similar to mine, and the correct shell set up in the rfc2307 attributes for the user, I think you'll be all set. Mike E. On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <AHKAPLAN at partners.org> wrote:> Hello -- > > I removed the ldap and sssd packages from the server, and I am trying to > get winbind to work on the system. > > The configuration of the /etc/samba/smb.conf file's global section is the > following: > > [global] > > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba server will part > of > security = ads > realm = <domain name> > workgroup = <domain> > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth =yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > > While that of the /etc/nsswitch.conf file reads as follows: > > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > ... > > The /etc/krb5.conf file has the domain name in capital letters for the > default_realm entry in capital letters. > > I was able to join the server with the domain. > > When I ran the getent <username>@<DOMAINNAME> command, the output was the > following: > > <DOMAINNAME>\<username>:*:10000:10005:<lastname>, > <firstname>.:/home/<DOMAIN>/<username>:/bin/false > > I attempted to log into the system via ssh using the following command > syntax: > > ssh -l <username>@<DOMAINNAME> <server fqdn> > > The connection was made, but it was immediately closed. I am guessing the > /bin/false shell could be what is causing the problem. > > The auth.log file also had the following entries: > > Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost> microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): > getting password (0x00000388) > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): > pam_get_item returned a password > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user > '<DOMAINNAME>\<username>' granted access > Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for > <username>@<DOMAINNAME> from <ip address> port 54879 ssh2 > Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): > session opened for user <DOMAINNAME>\<username> by (uid=0) > Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): > Failed to create session: No such file or directory > Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): > unknown option: umask > Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): > unknown option: 0022 > Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip > address>: disconnected by user > Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): > session closed for user <DOMAINNAME>\<username> > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): > user '<DOMAINNAME>\<username>' OK > > The pam-auth-update command indicated the following were enabled: > > Unix authentication > Winbind NT/Active Directory authentication > > Register user sessions in the systemd control group hierarchy > Inheritable Capabilities Management > > > > > > > > ------------------------------ > *From:* Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com > ] > *Sent:* Friday, June 10, 2016 10:45 AM > *To:* Kaplan, Andrew H.; samba at lists.samba.org > *Cc:* Rowland penny > > *Subject:* Re: [Samba] Problem with Active Directory authentication > Hi, > > I have a feeling that Rowland is correct that all the different > authentication methods are interfering with one another. I can say all I > have is winbind and it works fine for me. My relevant pam-auth-update > modules are: > > [*] Unix authentication > [*] Winbind NT/Active Directory authentication > [*] Register user sessions in the systemd control group hierarchy > [*] Create home directory on login > > My relevant excerpt from /etc/nsswitch.conf is: > > passwd: compat winbind > group: compat winbind > > If your smb.conf file includes the "template shell = /bin/bash" as you > indicated earlier, but your getent password is returning /bin/PHSshell > instead, I think the information is being returned by a service other than > winbind. Depending on how pam is configured, generally the order listed > when you run pam-auth-update will be the order in which the services are > tried. So the first one listed there is probably the one returning the > info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and > server) doesn't like the username in the format <username>@<domainname> and > this isn't the format that winbind would return the information, at least > not by default. For me getent passwd <username>@<domainname> would return > the user as <domainname>\<username>. I would try running pam-auth-update > and disabling the LDAP and SSSD authentication methods and see if getent > passwd returns different info. > > Your first post looked to me like the authentication was succeeding, but > then the shell was wrong and so you were immediately logged out. Like you > mentioned in a previous post, the /bin/PHSshell is probably one the issue > because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash > would fix this, but more than likely, it is a configuration issue that is > returning the wrong shell in the first place. Is PHS your netbios domain > name? If it is, it's probably the LDAP or SSSD configuration that is > retuning the shell using a substitution that isn't set up correctly. > > Good luck, > > Mike E. > > On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <rpenny at samba.org> wrote: > >> On 10/06/16 13:46, Kaplan, Andrew H. wrote: >> > Hello -- >> > >> > The winbind packages that are installed on the server are the following: >> > >> > Package >> Description >> > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 >> Samba nameservice integration plugins >> > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows >> domain authentication integration plugin >> > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 >> Samba winbind client library >> > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 >> service to resolve user and group information from Windows NT servers >> > >> > Similarly, the ldap PAM packages are as follows: >> > >> > Package >> Description >> > ldap-auth-client 0.5.3 >> all meta-package for LDAP authentication >> > ldap-auth-config 0.5.3 all >> Config package for LDAP authentication >> > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 >> OpenLDAP utilities >> > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 >> OpenLDAP libraries >> > libldb1 1.1.24-0ubuntu0.14.04.1 >> amd64 LDAP-like embedded database - shared library >> > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS >> module for using LDAP as a naming service >> > libpam-ldap 184-8.5ubuntu3 amd64 >> Pluggable Authentication Module for LDAP >> > sssd-ldap 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- LDAP back end >> > >> > Finally, the sssd packages are the following: >> > >> > Package >> Description >> > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID >> mapping library for SSSD >> > sssd 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- metapackage >> > sssd-ad 1.11.5-1ubuntu3 >> amd64 System Security Services Daemon -- Active Directory back end >> > sssd-ad-common 1.11.5-1ubuntu3 amd64 System >> Security Services Daemon -- PAC responder >> > sssd-common 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- common files >> > sssd-ipa 1.11.5-1ubuntu3 >> amd64 System Security Services Daemon -- IPA back end >> > sssd-krb5 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- Kerberos back end >> > sssd-krb5-common 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- Kerberos helpers >> > sssd-ldap 1.11.5-1ubuntu3 >> amd64 System Security Services Daemon -- LDAP back end >> > sssd-proxy 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- proxy back end >> > sssd-tools 1.11.5-1ubuntu3 amd64 >> System Security Services Daemon -- tools >> > >> > Will removing all packages for the first two groups solve this problem? >> > >> > From: samba [samba-bounces at lists.samba.org] on behalf of Rowland penny >> [rpenny at samba.org] >> > Sent: Friday, June 10, 2016 8:29 AM >> > To: samba at lists.samba.org >> > Subject: Re: [Samba] Problem with Active Directory authentication >> > >> > On 10/06/16 12:47, Kaplan, Andrew H. wrote: >> >> Hello -- >> >> >> >> I started a thread on the list that you suggested in your e-mail, and >> thank-you for the reference. >> >> >> >> Also, I checked the auth.log file on the server, and the following >> entries were present: >> >> >> >> I checked the auth.log file, and the following entries were present: >> >> >> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> >> user=<username>@<domainname> >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): >> getting password (0x00000388) >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): >> pam_get_item returned a password >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): >> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> >> user=username>@<domainname> >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): >> received for user username>@<domainname> 17 (Failure setting user >> credentials) >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open >> secret file /etc/ldap.secret (No such file or directory) >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind >> Can't contact LDAP server >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to >> LDAP server... >> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind >> Can't contact LDAP server >> >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid >> user username>@<domainname>from <ip address> port 49847 ssh2 >> >> >> >> >> >> ________________________________________ >> >> From: Sumit Bose [sbose at redhat.com] >> >> Sent: Friday, June 10, 2016 4:44 AM >> >> To: Kaplan, Andrew H. >> >> Cc: samba-technical at lists.samba.org; samba at lists.samba.org >> >> Subject: Re: Problem with Active Directory authentication >> >> >> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote: >> >>> Hello -- >> >>> >> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on >> a Vmware appliance. The goal of the installation is to create a Samba >> server that utilizes Active Directory authentication. To that end I >> utilized the following procedure: >> >>> >> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/< >> http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/ >> > >> >>> >> >>> Afterwards, I referenced the following documentation to confirm that >> all configuration files had the appropriate entries: >> >>> >> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html >> >> The sssd-users list >> >> >> https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/ >> >> might be more appropriate for your question. >> >> >> >> As a general comment, the PAM configuration is important here. Please >> >> check the system logs which PAM module was consulted during the login >> >> attempt and which cause the rejection. >> >> >> >> HTH >> >> >> >> bye, >> >> Sumit >> >> >> >>> The problem is the following: I am unable to log into the server from >> the console or via SSH using my Active Directory user account. The syntax >> that I use when doing an SSH connection is the following: >> >>> >> >>> ssh -v -l <username>@<domainname> <fully qualified domain name> >> >>> >> >>> The output that was generated is the following: >> >>> >> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 >> >>> debug1: Reading configuration data /etc/ssh/ssh_config >> >>> debug1: /etc/ssh/ssh_config line 19: Applying options for * >> >>> debug1: Connecting to <fully qualified domain name> [<ip address>] >> port 22. >> >>> debug1: Connection established. >> >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1 >> >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1 >> >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1 >> >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1 >> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1 >> >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1 >> >>> debug1: Remote protocol version 2.0, remote software version >> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 >> >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH* >> >>> debug1: Enabling compatibility mode for protocol 2.0 >> >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 >> >>> debug1: SSH2_MSG_KEXINIT sent >> >>> debug1: SSH2_MSG_KEXINIT received >> >>> debug1: kex: server->client aes128-ctr hmac-md5 none >> >>> debug1: kex: client->server aes128-ctr hmac-md5 none >> >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT >> >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >> >>> debug1: Server host key: ECDSA >> ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17 >> >>> debug1: Host '<fully qualified domain name>' is known and matches the >> ECDSA host key. >> >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29 >> >>> debug1: ssh_ecdsa_verify: signature correct >> >>> debug1: SSH2_MSG_NEWKEYS sent >> >>> debug1: expecting SSH2_MSG_NEWKEYS >> >>> debug1: SSH2_MSG_NEWKEYS received >> >>> debug1: Roaming not allowed by server >> >>> debug1: SSH2_MSG_SERVICE_REQUEST sent >> >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >> >>> debug1: Authentications that can continue: publickey,password >> >>> debug1: Next authentication method: publickey >> >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa >> >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa >> >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa >> >>> debug1: Next authentication method: password >> >>> <username>@<domainname>@<fully qualified domain name>'s password: >> >>> Connection closed by <ip address> >> >>> >> >>> Does anyone have thoughts on this? >> >>> >> >>> Thanks. >> >>> >> >>> >> >>> The information in this e-mail is intended only for the person to >> whom it is >> >>> addressed. If you believe this e-mail was sent to you in error and >> the e-mail >> >>> contains patient information, please contact the Partners Compliance >> HelpLine at >> >>> http://www.partners.org/complianceline . If the e-mail was sent to >> you in error >> >>> but does not contain patient information, please contact the sender >> and properly >> >>> dispose of the e-mail. >> > As Sumit has said, this should be on the sssd mailing list. >> > From your log fragment, it looks like you have the winbind and ldap >> PAM >> > packages installed, you do not need them. >> > >> > Rowland >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> >> I am not entirely sure, what I can say is that you are using three >> different methods of authentication, winbindd, ldap and sssd, surely you >> don't need all three ? >> >> If you decide to use sssd, then ask on their mailing list what sssd >> packages you need and what you should remove. >> If you decide to use LDAP, then this probably entails using nslcd, find >> their mailing list and ask them. >> If you decide to use winbindd (the Samba recommended way), then this is >> the place to ask and I would suggest you have a look here: >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
On 10/06/16 17:49, Kaplan, Andrew H. wrote:> Hello -- > > I removed the ldap and sssd packages from the server, and I am trying > to get winbind to work on the system. > > The configuration of the /etc/samba/smb.conf file's global section is > the following: > > [global] > > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba server will > part of > security = ads > realm = <domain name> > workgroup = <domain> > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth =yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > > While that of the /etc/nsswitch.conf file reads as follows: > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > ... > > The /etc/krb5.conf file has the domain name in capital letters for the > default_realm entry in capital letters. > > I was able to join the server with the domain. > > When I ran the getent <username>@<DOMAINNAME> command, the output was > the following: > > <DOMAINNAME>\<username>:*:10000:10005:<lastname>, > <firstname>.:/home/<DOMAIN>/<username>:/bin/false > > I attempted to log into the system via ssh using the following command > syntax: > > ssh -l <username>@<DOMAINNAME> <server fqdn> > > The connection was made, but it was immediately closed. I am guessing > the /bin/false shell could be what is causing the problem. > > The auth.log file also had the following entries: > > Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=microknoppix.mgh.harvard.edu user=ahk at PARTNERS.ORG > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): > getting password (0x00000388) > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): > pam_get_item returned a password > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): > user '<DOMAINNAME>\<username>' granted access > Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for > <username>@<DOMAINNAME> from <ip address> port 54879 ssh2 > Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): > session opened for user <DOMAINNAME>\<username> by (uid=0) > Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): > Failed to create session: No such file or directory > Jun 10 12:44:00 <samba server> sshd[13560]: > pam_mkhomedir(sshd:session): unknown option: umask > Jun 10 12:44:00 <samba server> sshd[13560]: > pam_mkhomedir(sshd:session): unknown option: 0022 > Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from > <ip address>: disconnected by user > Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): > session closed for user <DOMAINNAME>\<username> > Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): > user '<DOMAINNAME>\<username>' OK > > The pam-auth-update command indicated the following were enabled: > > Unix authentication > Winbind NT/Active Directory authentication > Register user sessions in the systemd control group hierarchy > Inheritable Capabilities Management > >Try looking here for info on how to set up a domain member: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member I know it works, because it is based on my smb.conf I also have this line in smb.conf: 'winbind use default domain = yes' This means I don't have to use the domain name, when I ssh into the DC, I just do this: rowland at debnet:~$ ssh rowland at dc1 rowland at dc1's password: Linux dc1 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-1 (2016-03-06) x86_64 The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jun 10 18:44:25 2016 from debnet.samdom.example.com I have never been able to login using the users UPN, I have a feeling the code to do this, just isn't there. Rowland
Kaplan, Andrew H.
2016-Jun-10 18:11 UTC
[Samba] Problem with Active Directory authentication
Hello -- The version of Samba that I am running on the server is the 4.3.9 Ubuntu package. To that end, I reconfigured the smb.conf file to reflect the entries listed in your e-mail. I added the syntax: default shell = /bin/bash to the smb.conf file, and restarted the samba and winbind daemons. Unfortunately, the getent passwd command indicated the /bin/false shell was still the default. What else do I need to do in order to correct this? ________________________________ From: Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com] Sent: Friday, June 10, 2016 1:40 PM To: Kaplan, Andrew H.; samba at lists.samba.org Cc: Rowland penny Subject: Re: [Samba] Problem with Active Directory authentication Hi, What version of Samba are you running (samba --version)? Some of the smb.conf parameters have changed in more recent versions. I'm running the standard version supplied with Ubuntu which is currently 4.3.9. My configuration on member servers is as follows: [global] # Base options workgroup = <NETBIOS DOMAIN> realm = <AD DOMAIN> netbios name = <THIS MACHINE'S NETBIOS NAME> security = ADS # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 3000000-3999999 idmap config for domain <NETBIOS DOMAIN> idmap config <NETBIOS DOMAIN>:backend = ad idmap config <NETBIOS DOMAIN>:schema_mode = rfc2307 idmap config <NETBIOS DOMAIN>:range = 10000-20000 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind offline logon = yes # Log options log level = 1 I think it looks like you're real issue now is the /bin/false shell, which is the default if it isn't specifically set. The newer way to set the shell is using rfc2307 attributes. See https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC. With a configuration similar to mine, and the correct shell set up in the rfc2307 attributes for the user, I think you'll be all set. Mike E. On Fri, Jun 10, 2016 at 12:50 PM Kaplan, Andrew H. <AHKAPLAN at partners.org<mailto:AHKAPLAN at partners.org>> wrote: Hello -- I removed the ldap and sssd packages from the server, and I am trying to get winbind to work on the system. The configuration of the /etc/samba/smb.conf file's global section is the following: [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of security = ads realm = <domain name> workgroup = <domain> idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth =yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 While that of the /etc/nsswitch.conf file reads as follows: passwd: compat winbind group: compat winbind shadow: compat hosts: files dns ... The /etc/krb5.conf file has the domain name in capital letters for the default_realm entry in capital letters. I was able to join the server with the domain. When I ran the getent <username>@<DOMAINNAME> command, the output was the following: <DOMAINNAME>\<username>:*:10000:10005:<lastname>, <firstname>.:/home/<DOMAIN>/<username>:/bin/false I attempted to log into the system via ssh using the following command syntax: ssh -l <username>@<DOMAINNAME> <server fqdn> The connection was made, but it was immediately closed. I am guessing the /bin/false shell could be what is causing the problem. The auth.log file also had the following entries: Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=microknoppix.mgh.harvard.edu<http://microknoppix.mgh.harvard.edu> user=ahk at PARTNERS.ORG<mailto:ahk at PARTNERS.ORG> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): getting password (0x00000388) Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): pam_get_item returned a password Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:auth): user '<DOMAINNAME>\<username>' granted access Jun 10 12:44:00 <samba server> sshd[13560]: Accepted password for <username>@<DOMAINNAME> from <ip address> port 54879 ssh2 Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session opened for user <DOMAINNAME>\<username> by (uid=0) Jun 10 12:44:00 <samba server> sshd[13560]: pam_systemd(sshd:session): Failed to create session: No such file or directory Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: umask Jun 10 12:44:00 <samba server> sshd[13560]: pam_mkhomedir(sshd:session): unknown option: 0022 Jun 10 12:44:00 <samba server> sshd[13608]: Received disconnect from <ip address>: disconnected by user Jun 10 12:44:00 <samba server> sshd[13560]: pam_unix(sshd:session): session closed for user <DOMAINNAME>\<username> Jun 10 12:44:00 <samba server> sshd[13560]: pam_winbind(sshd:setcred): user '<DOMAINNAME>\<username>' OK The pam-auth-update command indicated the following were enabled: Unix authentication Winbind NT/Active Directory authentication Register user sessions in the systemd control group hierarchy Inheritable Capabilities Management ________________________________ From: Data Control Systems - Mike Elkevizth [mike at datacontrolsystems.com<mailto:mike at datacontrolsystems.com>] Sent: Friday, June 10, 2016 10:45 AM To: Kaplan, Andrew H.; samba at lists.samba.org<mailto:samba at lists.samba.org> Cc: Rowland penny Subject: Re: [Samba] Problem with Active Directory authentication Hi, I have a feeling that Rowland is correct that all the different authentication methods are interfering with one another. I can say all I have is winbind and it works fine for me. My relevant pam-auth-update modules are: [*] Unix authentication [*] Winbind NT/Active Directory authentication [*] Register user sessions in the systemd control group hierarchy [*] Create home directory on login My relevant excerpt from /etc/nsswitch.conf is: passwd: compat winbind group: compat winbind If your smb.conf file includes the "template shell = /bin/bash" as you indicated earlier, but your getent password is returning /bin/PHSshell instead, I think the information is being returned by a service other than winbind. Depending on how pam is configured, generally the order listed when you run pam-auth-update will be the order in which the services are tried. So the first one listed there is probably the one returning the info to getent passwd. I also know that my ssh (Ubuntu 16.04 client and server) doesn't like the username in the format <username>@<domainname> and this isn't the format that winbind would return the information, at least not by default. For me getent passwd <username>@<domainname> would return the user as <domainname>\<username>. I would try running pam-auth-update and disabling the LDAP and SSSD authentication methods and see if getent passwd returns different info. Your first post looked to me like the authentication was succeeding, but then the shell was wrong and so you were immediately logged out. Like you mentioned in a previous post, the /bin/PHSshell is probably one the issue because it probably doesn't exist. A link from /bin/PHSshell to /bin/bash would fix this, but more than likely, it is a configuration issue that is returning the wrong shell in the first place. Is PHS your netbios domain name? If it is, it's probably the LDAP or SSSD configuration that is retuning the shell using a substitution that isn't set up correctly. Good luck, Mike E. On Fri, Jun 10, 2016 at 10:14 AM Rowland penny <rpenny at samba.org<mailto:rpenny at samba.org>> wrote: On 10/06/16 13:46, Kaplan, Andrew H. wrote:> Hello -- > > The winbind packages that are installed on the server are the following: > > Package Description > libnss-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba nameservice integration plugins > libpam-winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Windows domain authentication integration plugin > libwbclient0 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 Samba winbind client library > winbind 4.3.9+dfsg-0ubuntu0.14.04.3 amd64 service to resolve user and group information from Windows NT servers > > Similarly, the ldap PAM packages are as follows: > > Package Description > ldap-auth-client 0.5.3 all meta-package for LDAP authentication > ldap-auth-config 0.5.3 all Config package for LDAP authentication > ldap-utils 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP utilities > libldap-2.4-2 2.4.31-1+nmu2ubuntu8.2 amd64 OpenLDAP libraries > libldb1 1.1.24-0ubuntu0.14.04.1 amd64 LDAP-like embedded database - shared library > libnss-ldap 264-2.2ubuntu4.14.04.1 amd64 NSS module for using LDAP as a naming service > libpam-ldap 184-8.5ubuntu3 amd64 Pluggable Authentication Module for LDAP > sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end > > Finally, the sssd packages are the following: > > Package Description > libsss-idmap0 1.11.5-1ubuntu3 amd64 ID mapping library for SSSD > sssd 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- metapackage > sssd-ad 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Active Directory back end > sssd-ad-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- PAC responder > sssd-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- common files > sssd-ipa 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- IPA back end > sssd-krb5 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos back end > sssd-krb5-common 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- Kerberos helpers > sssd-ldap 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- LDAP back end > sssd-proxy 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- proxy back end > sssd-tools 1.11.5-1ubuntu3 amd64 System Security Services Daemon -- tools > > Will removing all packages for the first two groups solve this problem? > > From: samba [samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>] on behalf of Rowland penny [rpenny at samba.org<mailto:rpenny at samba.org>] > Sent: Friday, June 10, 2016 8:29 AM > To: samba at lists.samba.org<mailto:samba at lists.samba.org> > Subject: Re: [Samba] Problem with Active Directory authentication > > On 10/06/16 12:47, Kaplan, Andrew H. wrote: >> Hello -- >> >> I started a thread on the list that you suggested in your e-mail, and thank-you for the reference. >> >> Also, I checked the auth.log file on the server, and the following entries were present: >> >> I checked the auth.log file, and the following entries were present: >> >> Jun 10 07:10:50 <samba server> sshd[7419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=<username>@<domainname> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): getting password (0x00000388) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_winbind(sshd:auth): pam_get_item returned a password >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<fqdn> user=username>@<domainname> >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_sss(sshd:auth): received for user username>@<domainname> 17 (Failure setting user credentials) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory) >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: reconnecting to LDAP server... >> Jun 10 07:10:51 <samba server> sshd[7419]: pam_ldap: ldap_simple_bind Can't contact LDAP server >> Jun 10 07:10:53 <samba server> sshd[7419]: Failed password for invalid user username>@<domainname>from <ip address> port 49847 ssh2 >> >> >> ________________________________________ >> From: Sumit Bose [sbose at redhat.com<mailto:sbose at redhat.com>] >> Sent: Friday, June 10, 2016 4:44 AM >> To: Kaplan, Andrew H. >> Cc: samba-technical at lists.samba.org<mailto:samba-technical at lists.samba.org>; samba at lists.samba.org<mailto:samba at lists.samba.org> >> Subject: Re: Problem with Active Directory authentication >> >> On Wed, Jun 08, 2016 at 07:46:00PM +0000, Kaplan, Andrew H. wrote: >>> Hello -- >>> >>> We are running the 14.04.3 LTS 64-bit release as a virtual machine on a Vmware appliance. The goal of the installation is to create a Samba server that utilizes Active Directory authentication. To that end I utilized the following procedure: >>> >>> http://www.kiloroot.com/add-ubuntu-1...n-credentials/<http://www.kiloroot.com/add-ubuntu-14-04-server-or-desktop-to-microsoft-active-directory-domain-login-to-unity-with-domain-credentials/> >>> >>> Afterwards, I referenced the following documentation to confirm that all configuration files had the appropriate entries: >>> >>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html >> The sssd-users list >> https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/ >> might be more appropriate for your question. >> >> As a general comment, the PAM configuration is important here. Please >> check the system logs which PAM module was consulted during the login >> attempt and which cause the rejection. >> >> HTH >> >> bye, >> Sumit >> >>> The problem is the following: I am unable to log into the server from the console or via SSH using my Active Directory user account. The syntax that I use when doing an SSH connection is the following: >>> >>> ssh -v -l <username>@<domainname> <fully qualified domain name> >>> >>> The output that was generated is the following: >>> >>> OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1e 11 Feb 2013 >>> debug1: Reading configuration data /etc/ssh/ssh_config >>> debug1: /etc/ssh/ssh_config line 19: Applying options for * >>> debug1: Connecting to <fully qualified domain name> [<ip address>] port 22. >>> debug1: Connection established. >>> debug1: identity file /home/knoppix/.ssh/id_rsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_rsa-cert type -1 >>> debug1: identity file /home/knoppix/.ssh/id_dsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_dsa-cert type -1 >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa type -1 >>> debug1: identity file /home/knoppix/.ssh/id_ecdsa-cert type -1 >>> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 >>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH* >>> debug1: Enabling compatibility mode for protocol 2.0 >>> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4 >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug1: kex: server->client aes128-ctr hmac-md5 none >>> debug1: kex: client->server aes128-ctr hmac-md5 none >>> debug1: sending SSH2_MSG_KEX_ECDH_INIT >>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY >>> debug1: Server host key: ECDSA ec:09:c1:bc:d0:11:f3:8c:45:3f:dd:3a:96:ba:2a:17 >>> debug1: Host '<fully qualified domain name>' is known and matches the ECDSA host key. >>> debug1: Found key in /home/knoppix/.ssh/known_hosts:29 >>> debug1: ssh_ecdsa_verify: signature correct >>> debug1: SSH2_MSG_NEWKEYS sent >>> debug1: expecting SSH2_MSG_NEWKEYS >>> debug1: SSH2_MSG_NEWKEYS received >>> debug1: Roaming not allowed by server >>> debug1: SSH2_MSG_SERVICE_REQUEST sent >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug1: Authentications that can continue: publickey,password >>> debug1: Next authentication method: publickey >>> debug1: Trying private key: /home/knoppix/.ssh/id_rsa >>> debug1: Trying private key: /home/knoppix/.ssh/id_dsa >>> debug1: Trying private key: /home/knoppix/.ssh/id_ecdsa >>> debug1: Next authentication method: password >>> <username>@<domainname>@<fully qualified domain name>'s password: >>> Connection closed by <ip address> >>> >>> Does anyone have thoughts on this? >>> >>> Thanks. >>> >>> >>> The information in this e-mail is intended only for the person to whom it is >>> addressed. If you believe this e-mail was sent to you in error and the e-mail >>> contains patient information, please contact the Partners Compliance HelpLine at >>> http://www.partners.org/complianceline . If the e-mail was sent to you in error >>> but does not contain patient information, please contact the sender and properly >>> dispose of the e-mail. > As Sumit has said, this should be on the sssd mailing list. > From your log fragment, it looks like you have the winbind and ldap PAM > packages installed, you do not need them. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI am not entirely sure, what I can say is that you are using three different methods of authentication, winbindd, ldap and sssd, surely you don't need all three ? If you decide to use sssd, then ask on their mailing list what sssd packages you need and what you should remove. If you decide to use LDAP, then this probably entails using nslcd, find their mailing list and ask them. If you decide to use winbindd (the Samba recommended way), then this is the place to ask and I would suggest you have a look here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba