Rowland Penny
2022-Mar-21 19:19 UTC
[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba wrote:> On 3/21/22 13:38, Rowland Penny via samba wrote: > > On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba wrote: > > > LDAP is used for user and group lookups at the Unix/Linux level. > > > This > > > includes nfs and ssh. The authentication itself is typically > > > kerberos. Presumably if nsswitch.conf pointed to winbind but > > > not > > > ldap > > > it everything would continue to work. > > Got to ask this, why are you using ldap for Unix user & group > > lookups ? > > I presume that the ldap lookups are searching for RFC2307 > > attributes, > > if so, ldap is a bit redundant, your 'ad' backend will use the same > > IDs > > > > While there a numerous superfluous lines in your smb.conf, it is > > basically sound. > > > > Rowland > > > > > > A lot of the engineering/scientific software we use runs on Linux. > A > lot of the software development we do is also on Linux, so the focus > of > services on Solaris machines was to support Linux clients first, and > Windows clients 2nd. I am fairly confident that if I configure > /etc/nsswitch.conf to use winbind (not ldap) network users and > groups > that ssh login would still work.I am absolutely positive it will work, it is how I run Samba on Linux.> but I don't know about NFS (which is > dependent on kerberos security.)This should also work, I do not use NFS, but kerberos works well on Linux, not sure about Solaris. If this was Debian, I would advise installing the libnss-winbind, libpam-winbind and libpam-krb5 packages, does Solaris have similar packages ? Rowland
Gaiseric Vandal
2022-Mar-22 02:52 UTC
[Samba] authentication issue moving from Samba 4.11.x to 4.13.14
On 3/21/2022 3:19 PM, Rowland Penny via samba wrote:> On Mon, 2022-03-21 at 15:08 -0400, Gaiseric Vandal via samba wrote: >> On 3/21/22 13:38, Rowland Penny via samba wrote: >>> On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba wrote: >>>> LDAP is used for user and group lookups at the Unix/Linux level. >>>> This >>>> includes nfs and ssh. The authentication itself is typically >>>> kerberos. Presumably if nsswitch.conf pointed to winbind but >>>> not >>>> ldap >>>> it everything would continue to work. >>> Got to ask this, why are you using ldap for Unix user & group >>> lookups ? >>> I presume that the ldap lookups are searching for RFC2307 >>> attributes, >>> if so, ldap is a bit redundant, your 'ad' backend will use the same >>> IDs >>> >>> While there a numerous superfluous lines in your smb.conf, it is >>> basically sound. >>> >>> Rowland >>> >>> >> A lot of the engineering/scientific software we use runs on Linux. >> A >> lot of the software development we do is also on Linux, so the focus >> of >> services on Solaris machines was to support Linux clients first, and >> Windows clients 2nd. I am fairly confident that if I configure >> /etc/nsswitch.conf to use winbind (not ldap) network users and >> groups >> that ssh login would still work. > I am absolutely positive it will work, it is how I run Samba on Linux. > >> but I don't know about NFS (which is >> dependent on kerberos security.) > This should also work, I do not use NFS, but kerberos works well on > Linux, not sure about Solaris. If this was Debian, I would advise > installing the libnss-winbind, libpam-winbind and libpam-krb5 packages, > does Solaris have similar packages ? > > Rowland > >With /etc/nsswitch.conf set to use ??? passwd: files winbind ??? group:? files winbind Ssh logins fail, and the log shows the following Mar 21 20:41:00 server1 sshd[28725]: [ID 800047 auth.error] error: PAM: Authentication failed for myname from 192.x.x.x Mar 21 20:41:06 server1 sshd[28725]: [ID 720393 auth.error] PAM-KRB5 (setcred): pam_setcred failed for myname (Failure setting user credentials). Mar 21 20:43:43 server1 sshd[29042]: [ID 800047 auth.error] error: PAM: User account has expired for myname from 192.x.x.x Mar 21 20:43:51 server1 sshd[29046]: [ID 800047 auth.error] error: PAM: User account has expired for myname from 192.x.x.x You will notice that solaris 11 does not have a separate shadow entry in /etc/nsswitch.conf? (the shadow functionality is handled by the password entry.) With LDAP, I get # getent shadow myname myname:*NP*::::::: But with winbind, "getent shadow myname" does show anything. I don't have samba running as a domain member on any linux servers yet.