Hi I hope that I am not totally wrong when asking this on a Samba list, but as I followed a tutorial found at the SAMBA wiki I hope I can find someone how is able to help me. My goal is to set up a server acting as a SAMBA AD Server with single sign on for linux users. I use a Ubuntu Server 13.10 as the base. On top of this I installed a SAMBA 4.1.2 from GIT, did provisioning, Kerberos installation and so on. This part seems to work. I can connect a Windows 7 Client to the domain and work with MS rsat tools on the SAMBA server. After that I installed SSSD with apt-get install sssd sssd-tools and configured this package as found on https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd getnet passwd and getent group do what they should (after adding posix stuff to groups and users with RSAT) I did not change anything with any pam configuration as i think that dpk should do the job when libpam-sss and libnss-sss were installed. Checking /etc/pam.d/* files show more or less the same as shown in the tutorial. When I try to connect with ssh to the server I can not do this (Permission denied, please try again.). On the server I found in /var/log/auth the following: Nov 28 12:17:44 ad-server sshd[1770]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=walhalla-2.fritz.box user=administrator Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=walhalla-2.fritz.box user=administrator Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): received for user administrator: 9 (Authentication service cannot retrieve authentication info) Nov 28 12:17:46 ad-server sshd[1770]: Failed password for administrator from fd00::ca60:ff:fe14:986f port 57260 ssh2 Does anybody have an idea. Kind regards Bernd
On 28/11/13 11:21, Bernd Schuhmacher wrote:> Hi > > I hope that I am not totally wrong when asking this on a Samba list, but > as I followed a tutorial found at the SAMBA wiki I hope I can find > someone how is able to help me. > > My goal is to set up a server acting as a SAMBA AD Server with single > sign on for linux users. > I use a Ubuntu Server 13.10 as the base. On top of this I installed a > SAMBA 4.1.2 from GIT, did provisioning, Kerberos installation and so on. > This part seems to work. I can connect a Windows 7 Client to the domain > and work with MS rsat tools on the SAMBA server. > > After that I installed SSSD with > apt-get install sssd sssd-tools > and configured this package as found on > https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd > getnet passwd and getent group do what they should (after adding posix > stuff to groups and users with RSAT) > > I did not change anything with any pam configuration as i think that dpk > should do the job when libpam-sss and libnss-sss were installed. > Checking /etc/pam.d/* files show more or less the same as shown in the > tutorial. > > When I try to connect with ssh to the server I can not do this > (Permission denied, please try again.). On the server I found in > /var/log/auth the following: > > Nov 28 12:17:44 ad-server sshd[1770]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser> rhost=walhalla-2.fritz.box user=administrator > Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=walhalla-2.fritz.box > user=administrator > Nov 28 12:17:44 ad-server sshd[1770]: pam_sss(sshd:auth): received for > user administrator: 9 (Authentication service cannot retrieve > authentication info) > Nov 28 12:17:46 ad-server sshd[1770]: Failed password for administrator > from fd00::ca60:ff:fe14:986f port 57260 ssh2 > n > Does anybody have an idea. > > Kind regards > BerndThis could be a sssd problem rather than a samba one. I have never tried to login to my S4 server via ssh as Administrator, so I tried it (note I use winbind on the server) Nov 28 11:31:10 DC1 sshd[25943]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=thinkpad.home.lan user=Administrator Nov 28 11:31:10 DC1 sshd[25943]: pam_winbind(sshd:auth): getting password (0x00000388) Nov 28 11:31:10 DC1 sshd[25943]: pam_winbind(sshd:auth): pam_get_item returned a password Nov 28 11:31:10 DC1 sshd[25943]: pam_winbind(sshd:auth): user 'Administrator' granted access Nov 28 11:31:10 DC1 sshd[25943]: Accepted password for Administrator from 192.168.0.204 port 40256 ssh2 Nov 28 11:31:10 DC1 sshd[25943]: pam_unix(sshd:session): session opened for user HOME\Administrator by (uid=0) Try stopping sssd on the server and use winbind instead. Rowland
On 28/11/13 14:00, Bernd Schuhmacher wrote:> Hi Rowland > Am 28.11.2013 12:41, schrieb Rowland Penny: > > On 28/11/13 11:21, Bernd Schuhmacher wrote: > > .... > > > > Try stopping sssd on the server and use winbind instead. > Thanks for going into my problem. > I tried winbind ... it even more worse now. > I did the following: > service sssd stopAre you sure sssd is stopped?> > ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so > ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 > > ldconfig -v | grep winbind > > Output: libnss_winbind.so -> libnss_winbind.so.2This is what I get.> > changed /etc/nsswitch.conf: > > ... > passwd: compat winbind > group: compat winbind > shadow: compat > ... > > /usr/localsamba/bin/wbinfo -p > succeeded >OK> /usr/localsamba/bin/wbinfo -u > shows everything OK. >As it should.> getent passwd only shows the "normal" unix users. Non from the AD :-( > So I did not go any furteher.... > > More ideas? >Hmm, I get all the users from AD i.e. HOME\Administrator:*:0:100::/home/HOME/Administrator:/bin/bash Does 'getent passwd <a domain user>' return anything? What OS are you using and just confirm that you are using 64bit Rowland> Kind regards > Bernd > > -- > nMedien, Schuhmacher & Schuhmacher GbR > Donaustra?e 4 > 66424 Homburg > Tel.: 06848/730664 > FAX: 06848/72145 > Email: kontakt at nmedien.de > Web: http://www.nmedien.de >
On 28/11/13 14:42, Bernd Schuhmacher wrote:> Hi > Am 28.11.2013 15:17, schrieb Rowland Penny: >> ... >>> I tried winbind ... it even more worse now. >>> I did the following: >>> service sssd stop >> Are you sure sssd is stopped? > ps awux | grep sssd gives only the grep and service sssd status says > "sssd stop/waiting". >> .... >> Does 'getent passwd <a domain user>' return anything? > No. ATM I only have Administraotr as a user and getent passwd > Administrator gives no answer. >> >> What OS are you using and just confirm that you are using 64bit > It is Ubuntu 13.10 Server, 64 Bit (cheked with unamae -i) > > > Kind regards > Bernd >OK, you earlier posted that you did this: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 Try this: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 This is what I have on my Linux Mint 13 (aka Ubuntu 12.04) 64 bit server Rowland