Hi, I have some Ubuntu LTS servers running openssh server authenticating to external openldap. I installed a new Ubuntu LTS server with Samba4 to create a domain and is working very well. I managed to make a pfsense firewall authenticate users in this Samba4 ldap. How to make openssh in Ubuntu authenticate users in Samba4 ldap?
Hello Bruno, Am 25.08.2013 09:27, schrieb Bruno Vane:> I have some Ubuntu LTS servers running openssh server authenticating to > external openldap. I installed a new Ubuntu LTS server with Samba4 to > create a domain and is working very well. I managed to make a pfsense > firewall authenticate users in this Samba4 ldap. How to make openssh in > Ubuntu authenticate users in Samba4 ldap?Have you already looked here: http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Authentication_against_AD http://wiki.samba.org/index.php/Authenticating_other_services_against_AD#Secure_passwordless_SSH Regards, Marc
Am 26.08.2013 16:11, schrieb Bruno Vane:> Marc, sorry to bother you with this, but I can not access a SSH server > using these settings. > Could you take a look if you have time to find out if my settings are wrong? > > When I do a "ssh -l nslcd-connect" (or any other user) to the server, i > got this in /var/log/auth.log: > > Aug 26 11:09:14 ldap sshd[4642]: Invalid user nslcd-connect from MY_MACHINE > Aug 26 11:09:14 ldap sshd[4642]: input_userauth_request: invalid user > nslcd-connect [preauth] > Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): check pass; user > unknown > Aug 26 11:09:21 ldap sshd[4642]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_FQDN > Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't > contact LDAP server > Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: reconnecting to LDAP server... > Aug 26 11:09:21 ldap sshd[4642]: pam_ldap: ldap_simple_bind Can't > contact LDAP server > Aug 26 11:09:23 ldap sshd[4642]: Failed password for invalid user > nslcd-connect from MY_MACHINE port 51004 ssh2 > Aug 26 11:09:25 ldap sshd[4642]: Connection closed by MY_MACHINE [preauth]You don't connect with the "nslcd-connect" account via ssh to the server. Each user connect with his/her domain account. You need this account (nslcd-connect) in your AD, to allow nslcd to connect to your directory (you can give it any name you want, of course), because Samba/AD doesn't allow anonymous bind. This are the steps you do: - Create a new account (i named it nslcd-connect) in your AD - Put the accounts DN + password in your nslcd.conf - Restart nslcd.conf - Add "ldap" to the following three lines in your /etc/nsswitch.conf (sorry. I forgot this in my previous post): passwd: files ldap shadow: files ldap group: files ldap - Now you should be able to see all accounts (the local and domain accounts), when you type # getent passwd - If you don't see the domain accounts, add "acl:search = no" to the [global] section of your smb.conf and restart Samba. (Workaround for bug #9788) - If there's nothing else preventing (missing home, missing keyfile, etc), you should be able now, to login via ssh by # ssh -l {domainusername} {entryservername} The domainusername is the attribute that is mapped in nslcd.conf to uid (If you use my nslcd.conf example, the domainusername is what stand in the AD attribute sAMAccountName).> ============> This is my samba4 server LDAP test: > root at samba:~# ldapsearch -U nslcd-connect -h localhost -b > DC=corporativo,DC=mydomain,DC=net "cn=nslcd-connect" distinguishedNameIf you let ldapseach search for all attributes mentioned in nslcd.conf (sAMAccountName, unixHomeDirectory, etc.) and you don't get result for all of them, you need the workaround for bug #9788 (see above) or these attributes are not filled in AD. I'm currently still working on a HowTo about sssd, nslcd and winbind, which would contain this all in a much more detailed depth. But I had to less time at the moment to finish it yet. Maybe next week it will be done and published in the Wiki. Regards, Marc
Marc Muehlfeld
2013-Aug-26 22:12 UTC
[Samba] nslcd / pam_ldap HowTo (was: OpenSSH auth in SAMBA4 LDAP)
Am 25.08.2013 09:27, schrieb Bruno Vane:> I have some Ubuntu LTS servers running openssh server authenticating to > external openldap. I installed a new Ubuntu LTS server with Samba4 to > create a domain and is working very well. I managed to make a pfsense > firewall authenticate users in this Samba4 ldap. How to make openssh in > Ubuntu authenticate users in Samba4 ldap?As the "Winbind, sshd and nslcd"-HowTo I am currently working on is getting longer and longer, I decited to split it into the three parts, so it won't get to confusing. Also then I can publish the already finished and validated nslcd part. And here it is: https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @Bruno: This HowTo should contain all the short information I already gave you here on the list in a more detailed depth. @All: Feel free to give comments. Or let me know if something is missing/wrong. Regards, Marc