Kaplan, Andrew H.
2016-Jun-15 12:29 UTC
[Samba] FW: Problem with Active Directory authentication
Sorry about being a pain in the neck about this. The AD authentication at the console, and through SSH to the server is working for one domain user account, but no others. The problem is outlined in the e-mail that I am forwarding to the mailing list. How can I correct this? -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kaplan, Andrew H. Sent: Tuesday, June 14, 2016 10:53 AM To: Rowland penny; samba at lists.samba.org Subject: Re: [Samba] Problem with Active Directory authentication Hello -- I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group: # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes KerberosTicketCleanup yes KerberosGetAFSToken yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username> command is entered at the console, the output reads as follows: No passwd entry for <username> The auth.log file has entries that read as follows: Invalid user <username> from <ip address> input_userauth_request: invalid user <username> [preauth] pam_unix(sshd:auth): check pass; user unknown pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0 tty=ssh ruser= rhost=<hostname> What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one? Thanks. ________________________________________ From: samba [samba-bounces at lists.samba.org] on behalf of Rowland penny [rpenny at samba.org] Sent: Monday, June 13, 2016 4:53 PM To: samba at lists.samba.org Subject: Re: [Samba] Problem with Active Directory authentication On 13/06/16 21:42, Kaplan, Andrew H. wrote:> Hello -- > > I have made considerable progress. When I am at the server console, I am able to enter my domain username and password, and I am able to log into the server. I had several follow-up questions: > > 1. How can I configure an SSH connection to the server that will utilize the active directory login?If you mean 'user at samdom.example.com', then I don't think you can, but you can use 'user at hostname'> > 2. When the login completes, I encounter the following error messages: > > > Unknown parameter encountered: "netbios" > Ignoring unknown parameter "netbios" > Unknown parameter encountered: "winbind allow trusted domains" > Ignoring unknown parameter "winbind allow trusted domains" > > I believe these go back to smb.conf file. The lines in question read as follows: > > netbios = <hostname>This should be netbios name = <hostname>> ... > winbind allow trusted domains = noI think this should be 'allow trusted domains = no' Rowland> > I checked the syntax of the two lines within the file, and everything looked fine. > > Does anyone have any thoughts on this? > > Thanks. >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2016-Jun-15 12:46 UTC
[Samba] FW: Problem with Active Directory authentication
On 15/06/16 13:29, Kaplan, Andrew H. wrote:> Sorry about being a pain in the neck about this. The AD authentication at the console, and through > SSH to the server is working for one domain user account, but no others. The problem is outlined in > the e-mail that I am forwarding to the mailing list. > > How can I correct this? > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kaplan, Andrew H. > Sent: Tuesday, June 14, 2016 10:53 AM > To: Rowland penny; samba at lists.samba.org > Subject: Re: [Samba] Problem with Active Directory authentication > > Hello -- > > I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group: > > > # Change to no to disable s/key passwords > ChallengeResponseAuthentication no > > # Kerberos options > KerberosAuthentication yes > #KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > KerberosGetAFSToken yes > > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > There is one more caveat that I need to overcome. So far, one domain user account is able to log into the server at the > console, or through an SSH connection. However, any other user account is not able to do so. When the su - <username> > command is entered at the console, the output reads as follows: > > No passwd entry for <username> > > The auth.log file has entries that read as follows: > > Invalid user <username> from <ip address> > input_userauth_request: invalid user <username> [preauth] > pam_unix(sshd:auth): check pass; user unknown > pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0 tty=ssh ruser= rhost=<hostname> > > What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one? > > Thanks. > > >What does 'getent passwd <username>' show when run on the server ? Rowland
Kaplan, Andrew H.
2016-Jun-15 12:51 UTC
[Samba] FW: Problem with Active Directory authentication
Hello -- When I run the getent passwd <username> for the account that works, I get output listing information about the user. When I run the same command for any other account, there is no output. -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny Sent: Wednesday, June 15, 2016 8:46 AM To: samba at lists.samba.org Subject: Re: [Samba] FW: Problem with Active Directory authentication On 15/06/16 13:29, Kaplan, Andrew H. wrote:> Sorry about being a pain in the neck about this. The AD authentication > at the console, and through SSH to the server is working for one > domain user account, but no others. The problem is outlined in the e-mail that I am forwarding to the mailing list. > > How can I correct this? > > -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Kaplan, Andrew H. > Sent: Tuesday, June 14, 2016 10:53 AM > To: Rowland penny; samba at lists.samba.org > Subject: Re: [Samba] Problem with Active Directory authentication > > Hello -- > > I was able to get SSH with Active Directory authentication set up on the server. It involved several modifications to the sshd_config file. I am listing the changes that were made for the benefit of the group: > > > # Change to no to disable s/key passwords > ChallengeResponseAuthentication no > > # Kerberos options > KerberosAuthentication yes > #KerberosOrLocalPasswd yes > KerberosTicketCleanup yes > KerberosGetAFSToken yes > > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > There is one more caveat that I need to overcome. So far, one domain > user account is able to log into the server at the console, or through > an SSH connection. However, any other user account is not able to do so. When the su - <username> command is entered at the console, the output reads as follows: > > No passwd entry for <username> > > The auth.log file has entries that read as follows: > > Invalid user <username> from <ip address> > input_userauth_request: invalid user <username> [preauth] > pam_unix(sshd:auth): check pass; user unknown > pam_unix(sshd:auth): authentication failure; logname =uid=0 eudi=0 > tty=ssh ruser= rhost=<hostname> > > What step(s) do I need to take in order to get all domain user accounts to be able to log into the server, as opposed to only one? > > Thanks. > > >What does 'getent passwd <username>' show when run on the server ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
Reasonably Related Threads
- Problem with Active Directory authentication
- ssh not connecting to Active Directory in Fedora 25 workstation, wbinfo -u works; child_read_request: read_data failed: NT_STATUS_CONNECTION_RESET
- openssh-4.2p1 + Pam question !
- unable to login with LDAP when set Uselogin to yes
- [Bug 1266] incompatibility between s/key and keys Autentification