Hai Bob,
Ah, yes, thats a part i havent showed. ;-)
First, i suggest, revert back to the original files.
On debian or ubuntu, its not needed to adjust the pam files. (manualy)
Check the following.
Users and Primary Group, must have a UID/GID.
If you use groups to allow ssh logins, that group needs a GID.
You need to have, installed. ( i bet you have ) ;-)
libnss-winbind
libpam-winbind
dpkg -l |grep winbind
There other needed will be pulled in with apt.
So, since i know you config.
Its all back to original settings..
Run : pam-auth-update
Save, done.
# SSH
Edit : /etc/ssh/sshd_config
# GSSAPI options
# minimal needed.
GSSAPIAuthentication yes
# And i use.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
# man sshd_config shows what the options do.
# optional, add this part.
# Allow groups ( samba/windows groepen )
AllowGroups servers-ssh sshgroup
# servers-ssh, is a group in AD, with GID. (
# This allowed the windows members to login with ssh.
# sshgroup, this is a Linux group, only have 2-3 users that are allowed to
login,
# and have sudo rights, to be able to maintain the server if the windows part is
down.
# IF you restricted the users homedirs so no admin/root can enter
# In /etc/krb5.conf add in libdefaults.
ignore_k5login = true ; allows/ignores the check on .k5_login in the
homedir.
Last, how are you handeling remove homedirs, CIFS? NFS?
Or are these locally re-created?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Robert Wooden via samba
> Verzonden: vrijdag 11 september 2020 5:47
> Aan: SAMBA MailList
> Onderwerp: [Samba] entering password twice
>
> I might be asking this question the incorrect group but, here goes.
>
> I have successfully added a Debian 10 member (workstation)
> and made the
> /etc/pam.d files adjustments per the Debianwiki page
> https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
> and Debian
> is allowing me to login with AD users and passwords except
> for one thing. I
> have to enter the password twice to login.
>
> Here are the changed pam_mount files (the red font are the
> added lines):
>
> root at lws2:~# cat /etc/pam.d/common-account
> #
> SNIPPED FOR BREVITY
> # pam-auth-update(8) for details.
> #
>
> # here are the per-package modules (the "Primary" block)
> account [success=2 new_authtok_reqd=done default=ignore]
> pam_unix.so
> account [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so
> # here's the fallback if no module succeeds
> account requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> account required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
> account sufficient pam_winbind.so
> account required pam_unix.so
>
> root at lws2:~# cat /etc/pam.d/common-auth
> #
> SNIPPED FOR BREVITY
> #
> # pam-auth-update to manage selection of other modules. See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> # here's the fallback if no module succeeds
> auth requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> auth required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
> auth sufficient pam_winbind.so
> auth sufficient pam_unix.so nullok_secure use_first_pass
> auth required pam_deny.so
>
> root at lws2:~# cat /etc/pam.d/common-session
> #
> SNIPPED FOR BREVITY
> #
> # pam-auth-update to manage selection of other modules. See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> session [default=1] pam_permit.so
> # here's the fallback if no module succeeds
> session requisite pam_deny.so
> # prime the stack with a positive return value if there isn't
> one already;
> # this avoids us returning an error just because nothing sets
> a success code
> # since the modules above will each just jump around
> session required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> session required pam_unix.so
> session optional pam_winbind.so
> session optional pam_systemd.so
> session optional pam_mkhomedir.so
> # end of pam-auth-update config
> session required pam_unix.so
> session required pam_mkhomedir.so umask=0022 skel=/etc/skel
>
> root at lws2:~# cat /etc/pam.d/sudo
> #%PAM-1.0
> #
> Auth sufficient pam_winbind.so
> Auth sufficient pam_unix.so use_first_pass
> Auth required pam_deny.so
>
> @include common-auth
> @include common-account
> @include common-session-noninteractive
>
> The Debian wiki was very brief but, is based on
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
> however, the
> Ubuntu wiki referenced some older versions of Ubuntu.
>
> So I made the additions to the end of each file with the
> exception of the
> /etc/pam.d/sudo file, those additions went in front of the
> line "@include
> common-auth".
>
> I'm wondering if the simple question, *why am I having to enter the
> password twice?* can be answered here or do I need to head
> over the Debian
> forum?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>