samba - Jun 2005 - FreeBSD ssh AD authentication

After reading the related chapter in the Samba-3 HOWTO document
I've tried to put the AD authentication in place in our network
on two systems and I got stuck in exactly the same place.
Here are the software configs I was using :

Sys 1
FreeBSD 4.11 release
sshd version OpenSSH_3.5p1 FreeBSD-20030924
Samba Version 3.0.10

Sys 2
FreeBSD 5.4-RELEASE FreeBSD amd64
OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
Samba Version 3.0.12

I will detail what I did on sys1 (as this one is more urgent  and 
anyway I did the same things on sys2 with exactly the same
outcome)

My /etc/smb.conf
[global]
workgroup = OURDOMAIN
# strangely, it doesn't like the realm setting
#realm = MISSIONCRITICALIT.COM
password server = PASSSWD_SERV_IP
security = ADS
encrypt passwords = yes
server string = My Samba Server

# separate domain and username with '\', like DOMAIN\username
winbind separator = \\
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/winnt/%D%U
template shell = /usr/local/bin/bash


Then I did 
sudo net join -UAdministrator
After providing the right password the answer was :
Joined domain OURDOMAIN.

Then I modified the /usr/compat/linux/etc/nsswitch.conf file
to look like the following :
passwd:     files winbind
shadow:     files
group:      files winbind

After starting winbindd with(-d 3 -i) I can now querry the 
user and groups with :
wbinfo -u
wbinfo -g

Both lists seem to be in concordance with what we got on our W2K PDC.

However if I do 
/usr/compat/linux/usr/bin/getent passwd
I get only the local password file content, nothing related to the domain...
Accordint to the Samba3 HOWTO this should return me info's for users
in the domain...
What am I doing wrong ?

Furthermore I went through this ordeal to allow domain users to authenticate 
with ssh. So I've modified the the /etc/pam.conf file like this (settings
for
ssh) :
sshd    auth    sufficient      pam_skey.so
sshd    auth    sufficient      pam_opie.so                    no_fake_prompts
#this line is added by me
sshd    auth    sufficient      /usr/local/lib/pam_winbind.so 
#sshd   auth    requisite       pam_opieaccess.so
#sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
#sshd   auth    sufficient      pam_krb5.so                     try_first_pass
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    account required        pam_unix.so
#this line is added by me
sshd    account sufficient      /usr/local/lib/pam_winbind.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so

Now when I try to log in as a domain user via ssh the access is refused
and I got this in /var/log/auth.log
sshd[1972]: Illegal user usr1 from 10.10.10.201
sshd[1972]: Failed unknown for illegal user usr1 from 10.10.10.201 port 55268 
ssh2

And I get no outup at all from winbindd, like the sshd wouldn't even bother
to try to authenticate via winbindd...

Can anybody help ?

One step closer...
Indeed I found a configuration parameter in sshd_conf
like this 

# Change to no to disable PAM authentication
# ChallengeResponseAuthentication yes

which I uncommnted and restarted sshd and winbind
But the result is the same ...
I've tried to log as a domain user even from the console
(so avoiding ssh) and the result (access denied) is the same.
My pam.conf for console login :

login   auth    sufficient      pam_skey.so
login   auth    sufficient      pam_opie.so                     
no_fake_prompts
#this line is added
login   auth    sufficient      /usr/local/lib/pam_winbind.so
#login  auth    requisite       pam_opieaccess.so
login   auth    requisite       pam_cleartext_pass_ok.so
#login  auth    sufficient      pam_kerberosIV.so               try_first_pass
#login  auth    sufficient      pam_krb5.so                     try_first_pass
login   auth    required        pam_unix.so                     try_first_pass
login   account required        pam_unix.so
#this line is added
login   account sufficient      /usr/local/lib/pam_winbind.so
login   password required       pam_permit.so
login   session required        pam_permit.so


Thomas

On Thursday 16 June 2005 14:12, you wrote:
> I don't know Freebsd but on Suse there is a line in
/etc/ssh/sshd_config
> that says "UsePAM yes"  which has to be uncommented. Also make
sure to
> restart sshd and winbind.
>
> romeo
>
> On Thu, 2005-06-16 at 13:41 +0200, Thomas Fazekas wrote:
> > After reading the related chapter in the Samba-3 HOWTO document
> > I've tried to put the AD authentication in place in our network
> > on two systems and I got stuck in exactly the same place.
> > Here are the software configs I was using :
> >
> > Sys 1
> > FreeBSD 4.11 release
> > sshd version OpenSSH_3.5p1 FreeBSD-20030924
> > Samba Version 3.0.10
> >
> > Sys 2
> > FreeBSD 5.4-RELEASE FreeBSD amd64
> > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e 25 Oct 2004
> > Samba Version 3.0.12
> >
> > I will detail what I did on sys1 (as this one is more urgent  and
> > anyway I did the same things on sys2 with exactly the same
> > outcome)
> >
> > My /etc/smb.conf
> > [global]
> > workgroup = OURDOMAIN
> > # strangely, it doesn't like the realm setting
> > #realm = MISSIONCRITICALIT.COM
> > password server = PASSSWD_SERV_IP
> > security = ADS
> > encrypt passwords = yes
> > server string = My Samba Server
> >
> > # separate domain and username with '\', like DOMAIN\username
> > winbind separator = \\
> > # use uids from 10000 to 20000 for domain users
> > idmap uid = 10000-20000
> > # use gids from 10000 to 20000 for domain groups
> > idmap gid = 10000-20000
> > # allow enumeration of winbind users and groups
> > winbind enum users = yes
> > winbind enum groups = yes
> > # give winbind users a real shell (only needed if they have telnet
> > access) template homedir = /home/winnt/%D%U
> > template shell = /usr/local/bin/bash
> >
> >
> > Then I did
> > sudo net join -UAdministrator
> > After providing the right password the answer was :
> > Joined domain OURDOMAIN.
> >
> > Then I modified the /usr/compat/linux/etc/nsswitch.conf file
> > to look like the following :
> > passwd:     files winbind
> > shadow:     files
> > group:      files winbind
> >
> > After starting winbindd with(-d 3 -i) I can now querry the
> > user and groups with :
> > wbinfo -u
> > wbinfo -g
> >
> > Both lists seem to be in concordance with what we got on our W2K PDC.
> >
> > However if I do
> > /usr/compat/linux/usr/bin/getent passwd
> > I get only the local password file content, nothing related to the
> > domain... Accordint to the Samba3 HOWTO this should return me
info's for
> > users in the domain...
> > What am I doing wrong ?
> >
> > Furthermore I went through this ordeal to allow domain users to
> > authenticate with ssh. So I've modified the the /etc/pam.conf file
like
> > this (settings for ssh) :
> > sshd    auth    sufficient      pam_skey.so
> > sshd    auth    sufficient      pam_opie.so                   
> > no_fake_prompts #this line is added by me
> > sshd    auth    sufficient      /usr/local/lib/pam_winbind.so
> > #sshd   auth    requisite       pam_opieaccess.so
> > #sshd   auth    sufficient      pam_kerberosIV.so              
> > try_first_pass #sshd   auth    sufficient      pam_krb5.so
> >      try_first_pass sshd    auth    required        pam_unix.so
> >           try_first_pass sshd    account required        pam_unix.so
> > #this line is added by me
> > sshd    account sufficient      /usr/local/lib/pam_winbind.so
> > sshd    password required       pam_permit.so
> > sshd    session required        pam_permit.so
> >
> > Now when I try to log in as a domain user via ssh the access is
refused
> > and I got this in /var/log/auth.log
> > sshd[1972]: Illegal user usr1 from 10.10.10.201
> > sshd[1972]: Failed unknown for illegal user usr1 from 10.10.10.201
port
> > 55268 ssh2
> >
> > And I get no outup at all from winbindd, like the sshd wouldn't
even
> > bother to try to authenticate via winbindd...
> >
> > Can anybody help ?

Thomas wrote:
> 
> # Change to no to disable PAM authentication
> # ChallengeResponseAuthentication yes
> 
> which I uncommnted and restarted sshd and winbind
> But the result is the same ...
>
   I seem to recall reading -- for Solaris anyway -- that you need to
reboot in order to force the changes to /etc/pam.conf to be applied.
When I was experimenting with OpenSSH, Samba 3.x, and Solaris 8, I think
this was required.
   Whether it applies to a *BSD, I don't know.
-wde
--
Will Enestvedt
UNIX System Administrator
Johnson & Wales University -- Providence, RI