Wayne Pascoe
2004-Nov-05 10:12 UTC
[Samba] Using winbind authentication with Windows 2003 AD - SSH login failures
Hi all,
I have been trying to setup authentication of users on a Linux server
against Windows server 2003 using winbind.
I am at the point where an
su - ADUSERNAME
works, but sshing as that user still doesn't work.
When I try to ssh as an AD user as follows:
ssh -l "RILINUX+testuser" server.domain.com
I get the following output in /var/log/messages:
server pam_winbind[5906]: request failed: No such user, PAM error was
10, NT error was NT_STATUS_NO_SUCH_USER
server sshd(pam_unix)[5906]: check pass; user unknown
server sshd(pam_unix)[5906]: authentication failure; logname= uid=0
euid=0 tty=NODEVssh ruser= rhost=server.domain.com
At the same time, I see this Failure Audit in the Security section of
Event viewer on the AD server:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: NOUSER
Source Workstation: \\LONLT-SVR9
Error Code: 0xC0000064
I then changed my setup to use winbid use default domain = yes and
tried with
ssh -l testuser server.domain.com
I got the same result as when using the DOMAIN+user syntax
wbinfo -u shows this test user in the list.
My smb.conf is as follows:
[global]
workgroup = MYADDOMAIN
netbios name = servername
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
security = ads
encrypt passwords = yes
realm = MYKERBEROSREALM.COM
password server = 10.xxx.xxx.xxx
My various pam configs are as follows:
/etc/pam.d/login
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/pam.d/sshd
auth required pam_stack.so service=system-auth
auth sufficient pam_winbind.so
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
I'm using Red Hat EL AS 3 which I believe tries to centralise most of
this in system-auth, and this is what I have there:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_winbind.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
typepassword sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
I'm not sure if this is related to my problem, but I see quite a few
of the following messages in my security section of event viewer:
Pre-authentication failed:
User Name: servername$
User ID: MYDOMAIN\servername$
Service Name: krbtgt/MYKERBEROSREALM.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.xxx.xxx.xxx
Can anyone advise how to rectify this problem ?
Thanks in advance,
--
Wayne Pascoe
John H Terpstra
2004-Nov-05 15:31 UTC
[Samba] Using winbind authentication with Windows 2003 AD - SSH login failures
Wayne, Precisely what steps did you take to join the Samba server to the ADS? - John T. On Friday 05 November 2004 03:10, Wayne Pascoe wrote:> Hi all, > > I have been trying to setup authentication of users on a Linux server > against Windows server 2003 using winbind. > > I am at the point where an > su - ADUSERNAME > works, but sshing as that user still doesn't work. > > When I try to ssh as an AD user as follows: > ssh -l "RILINUX+testuser" server.domain.com > I get the following output in /var/log/messages: > > server pam_winbind[5906]: request failed: No such user, PAM error was > 10, NT error was NT_STATUS_NO_SUCH_USER > server sshd(pam_unix)[5906]: check pass; user unknown > server sshd(pam_unix)[5906]: authentication failure; logname= uid=0 > euid=0 tty=NODEVssh ruser= rhost=server.domain.com > > At the same time, I see this Failure Audit in the Security section of > > Event viewer on the AD server: > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: NOUSER > Source Workstation: \\LONLT-SVR9 > Error Code: 0xC0000064 > > I then changed my setup to use winbid use default domain = yes and > tried with > ssh -l testuser server.domain.com > I got the same result as when using the DOMAIN+user syntax > > wbinfo -u shows this test user in the list. > > My smb.conf is as follows: > [global] > workgroup = MYADDOMAIN > netbios name = servername > winbind separator = + > winbind use default domain = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%U > template shell = /bin/bash > > security = ads > encrypt passwords = yes > realm = MYKERBEROSREALM.COM > password server = 10.xxx.xxx.xxx > > My various pam configs are as follows: > /etc/pam.d/login > auth required pam_securetty.so > auth sufficient pam_winbind.so > auth required pam_stack.so service=system-auth > auth required pam_nologin.so > account sufficient pam_winbind.so > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > session optional pam_console.so > > /etc/pam.d/sshd > auth required pam_stack.so service=system-auth > auth sufficient pam_winbind.so > auth required pam_nologin.so > account sufficient pam_winbind.so > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > session required pam_limits.so > session optional pam_console.so > > I'm using Red Hat EL AS 3 which I believe tries to centralise most of > this in system-auth, and this is what I have there: > > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_winbind.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth required /lib/security/$ISA/pam_deny.so > > account sufficient /lib/security/$ISA/pam_winbind.so > account required /lib/security/$ISA/pam_unix.so > > password required /lib/security/$ISA/pam_cracklib.so retry=3 > type> password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 shadow > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > > > I'm not sure if this is related to my problem, but I see quite a few > of the following messages in my security section of event viewer: > > Pre-authentication failed: > User Name: servername$ > User ID: MYDOMAIN\servername$ > Service Name: krbtgt/MYKERBEROSREALM.COM > Pre-Authentication Type: 0x0 > Failure Code: 0x19 > Client Address: 10.xxx.xxx.xxx > > Can anyone advise how to rectify this problem ? > > Thanks in advance, > > -- > Wayne Pascoe-- John H Terpstra, CTO PrimaStasys Inc. Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.