Wayne Pascoe
2004-Nov-05 10:12 UTC
[Samba] Using winbind authentication with Windows 2003 AD - SSH login failures
Hi all, I have been trying to setup authentication of users on a Linux server against Windows server 2003 using winbind. I am at the point where an su - ADUSERNAME works, but sshing as that user still doesn't work. When I try to ssh as an AD user as follows: ssh -l "RILINUX+testuser" server.domain.com I get the following output in /var/log/messages: server pam_winbind[5906]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER server sshd(pam_unix)[5906]: check pass; user unknown server sshd(pam_unix)[5906]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=server.domain.com At the same time, I see this Failure Audit in the Security section of Event viewer on the AD server: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: NOUSER Source Workstation: \\LONLT-SVR9 Error Code: 0xC0000064 I then changed my setup to use winbid use default domain = yes and tried with ssh -l testuser server.domain.com I got the same result as when using the DOMAIN+user syntax wbinfo -u shows this test user in the list. My smb.conf is as follows: [global] workgroup = MYADDOMAIN netbios name = servername winbind separator = + winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash security = ads encrypt passwords = yes realm = MYKERBEROSREALM.COM password server = 10.xxx.xxx.xxx My various pam configs are as follows: /etc/pam.d/login auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so /etc/pam.d/sshd auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so auth required pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so I'm using Red Hat EL AS 3 which I believe tries to centralise most of this in system-auth, and this is what I have there: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_winbind.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 typepassword sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so I'm not sure if this is related to my problem, but I see quite a few of the following messages in my security section of event viewer: Pre-authentication failed: User Name: servername$ User ID: MYDOMAIN\servername$ Service Name: krbtgt/MYKERBEROSREALM.COM Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.xxx.xxx.xxx Can anyone advise how to rectify this problem ? Thanks in advance, -- Wayne Pascoe
John H Terpstra
2004-Nov-05 15:31 UTC
[Samba] Using winbind authentication with Windows 2003 AD - SSH login failures
Wayne, Precisely what steps did you take to join the Samba server to the ADS? - John T. On Friday 05 November 2004 03:10, Wayne Pascoe wrote:> Hi all, > > I have been trying to setup authentication of users on a Linux server > against Windows server 2003 using winbind. > > I am at the point where an > su - ADUSERNAME > works, but sshing as that user still doesn't work. > > When I try to ssh as an AD user as follows: > ssh -l "RILINUX+testuser" server.domain.com > I get the following output in /var/log/messages: > > server pam_winbind[5906]: request failed: No such user, PAM error was > 10, NT error was NT_STATUS_NO_SUCH_USER > server sshd(pam_unix)[5906]: check pass; user unknown > server sshd(pam_unix)[5906]: authentication failure; logname= uid=0 > euid=0 tty=NODEVssh ruser= rhost=server.domain.com > > At the same time, I see this Failure Audit in the Security section of > > Event viewer on the AD server: > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: NOUSER > Source Workstation: \\LONLT-SVR9 > Error Code: 0xC0000064 > > I then changed my setup to use winbid use default domain = yes and > tried with > ssh -l testuser server.domain.com > I got the same result as when using the DOMAIN+user syntax > > wbinfo -u shows this test user in the list. > > My smb.conf is as follows: > [global] > workgroup = MYADDOMAIN > netbios name = servername > winbind separator = + > winbind use default domain = yes > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%U > template shell = /bin/bash > > security = ads > encrypt passwords = yes > realm = MYKERBEROSREALM.COM > password server = 10.xxx.xxx.xxx > > My various pam configs are as follows: > /etc/pam.d/login > auth required pam_securetty.so > auth sufficient pam_winbind.so > auth required pam_stack.so service=system-auth > auth required pam_nologin.so > account sufficient pam_winbind.so > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > session optional pam_console.so > > /etc/pam.d/sshd > auth required pam_stack.so service=system-auth > auth sufficient pam_winbind.so > auth required pam_nologin.so > account sufficient pam_winbind.so > account required pam_stack.so service=system-auth > password required pam_stack.so service=system-auth > session required pam_stack.so service=system-auth > session required pam_limits.so > session optional pam_console.so > > I'm using Red Hat EL AS 3 which I believe tries to centralise most of > this in system-auth, and this is what I have there: > > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_winbind.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth required /lib/security/$ISA/pam_deny.so > > account sufficient /lib/security/$ISA/pam_winbind.so > account required /lib/security/$ISA/pam_unix.so > > password required /lib/security/$ISA/pam_cracklib.so retry=3 > type> password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 shadow > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > > > I'm not sure if this is related to my problem, but I see quite a few > of the following messages in my security section of event viewer: > > Pre-authentication failed: > User Name: servername$ > User ID: MYDOMAIN\servername$ > Service Name: krbtgt/MYKERBEROSREALM.COM > Pre-Authentication Type: 0x0 > Failure Code: 0x19 > Client Address: 10.xxx.xxx.xxx > > Can anyone advise how to rectify this problem ? > > Thanks in advance, > > -- > Wayne Pascoe-- John H Terpstra, CTO PrimaStasys Inc. Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.