I have an interresting situation that I am searching for a solution.
I want to use pam_smb for authenticating SSH connections to a remote server.
The Domain Controller I want to authenticate against is a Win NT 4.0 box
located on our internal lan.
An idea was given to me to set up an SSH tunnel and forward the relative
ports across the internet to a local machine.
All of my machines are RedHat Linux. Some are 6.2, others are 7.0.
I have setup SSH to work without passwords.
I am trying all of this from a bash shell for now. I will automate it when
the time comes.
I open the SSH tunnel to a linux box on my LAN:
[root@remote /]#
ssh -L137:nt4.domain.com:137 -L138:nt4.domain.com:138 -L139:nt4.domain.com:1
39 linux.domain.com
Now, if I execute:
[root@remote /]# smbclient -U user -L NT4 -I 127.0.0.1
WHERE: NT4 is the Netbios name of the NT domain controller
I get:
SSL: Error error setting CA cert locations: error:00000000::lib(0) :func(0)
:reason(0)
trying default locations.
added interface ip=xxx.xxx.xxxx bcast=xxx.xxx.xxx.xxx nmask=255.255.255.192
Password:
Domain=[COMPANY] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Sharename Type Comment
--------- ---- -------
NETLOGON Disk Logon server share
ADMIN$ Disk Remote Admin
IPC$ IPC Remote IPC
HP2000C Printer HP 2000C Printer
C$ Disk Default share
E$ Disk Default share
FP-D250 Printer Panasonic FP-D250
print$ Disk Printer Drivers
Archives Disk
Server Comment
--------- -------
GKOPP
NT4
SCANSTATION scanner computer
Workgroup Master
--------- -------
COMPANY NT4
So, it would appear that the tunnel is indeed working.
BUT, I can't seem to get pam_smb to agree.
If I put this into /etc/pam_smb.comf:
COMPANY
NT4
NT4
And this into /etc/pam.d/sshd:
#%PAM-1.0
auth sufficient /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_smb_auth.so debug
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0077
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
Authentication fails. Here is a sample of my /var/log/secure:
Mar 6 16:48:36 ds9 sshd[7007]: pam_smb: Local UNIX username/password check
incorrect.
Mar 6 16:48:36 ds9 sshd[7007]: pam_smb: Configuration Data, Primary NT4,
Backup NT4, Domain COMPANY.
Mar 6 16:48:39 ds9 sshd[7007]: pam_smb: Local UNIX username/password check
incorrect.
Mar 6 16:48:39 ds9 sshd[7007]: pam_smb: Configuration Data, Primary NT4,
Backup NT4, Domain COMPANY.
I even tried putting "localhost" and "127.0.0.1" as the
primary and/or
backup domain controllers. I get the same results.
I know that this works, because I have this working just fine on the linux
box mentioned above that is on our LAN.
I have looked into solutions like PPP over SSH, but I understand that is
unstable. IPsec and CIPE appear to be extremely complicated to setup, but
may be better solutions in the long run as I wouldn't mind having the SAMBA
shares on remote.company.com show up on the LAN in Network Neighborhood.
I would appreciate any help you might be.
Greg
